CVE-2023-7028 & 5356: GitLab Addresses Account Takeover & Command Flaws

In the ever-evolving landscape of cyber threats, GitLab, a renowned player in the DevOps field, has recently taken decisive steps to fortify its defenses against a series of critical vulnerabilities.

CVE-2023-7028: Account Takeover via password reset without user interactions

At the heart of this security update is a dire warning: CVE-2023-7028, a flaw with a maximum severity score of 10, posed a significant threat to GitLab users. This vulnerability, reported by the security researcher asterion04 through the HackerOne bug bounty program, could have led to account takeovers and the execution of unauthorized commands.

The flaw’s roots trace back to version 16.1, where a change allowed users to reset passwords via a secondary email. However, a glitch in the email verification process meant that reset emails could land in unverified inboxes – a potential goldmine for malicious actors.

“A change was made in 16.1.0 to allow users to reset their password through a secondary email address. The vulnerability is a result of a bug in the email verification process,” GitLab said.

“An attacker will not be able to takeover your account if you have 2FA enabled. They may still be able to reset your password but will not be able to access your second factor authentication method. If you are suddenly redirected to login, or see a reset email triggered, please reset your password.”

This security fix has been backported to GitLab versions 16.1.6, 16.2.9, 16.3.7, and 16.4.5 in addition to 16.5.6, 16.6.4, and 16.7.2.

Security researcher rwincey revealed the proof-of-concept (PoC) for the CVE-2023-7028 flaw with a simple request:

GitLab CVE-2023-7028 POC

user[email][]=valid@email.com&user[email][]=attacker@email.com

– PWNED

— b0yd (@rwincey) January 12, 2024

Another Critical Weakness: CVE-2023-5356

Joining the ranks of critical concerns was CVE-2023-5356, rated 9.6 in severity. This flaw involved incorrect authorization checks in GitLab Community Edition (CE) and Enterprise Edition (EE). Spanning a wide range of versions, this vulnerability allowed users to misuse Slack/Mattermost integrations to execute commands impersonating other users. Kudos to security researcher yvvdwf for flagging this issue via HackerOne.

Beyond the Critical: Patching Up Other Flaws

GitLab’s security overhaul didn’t stop with these two. Three additional vulnerabilities were addressed:

1. CVE-2023-4812 (CVSS 7.6): This involved bypassing CODEOWNERS approval in merge requests.
2. CVE-2023-6955 (CVSS 6.6): An access control issue in GitLab Remote Development, where workspaces could be wrongly associated with different root namespaces.
3. CVE-2023-2030 (CVSS 3.5): A loophole in commit signature validation, allowing metadata alteration in signed commits.

What This Means for GitLab Users

For GitLab users, this update serves as a reminder of the importance of security hygiene. Enabling 2FA, staying alert to unusual activity, and regularly updating the latest software versions are more critical than ever.