GitLab Critical Security Release 16.7.2 (CVE-2023-7028)

Skip to first unread message

Fleury, Terry

Jan 12, 2024, 1:39:43 PMJan 12

CI Operators:

GitLab has released v16.7.2 [1] to address two critical security vulnerabilities and one high security vulnerability. One vulnerability (CVE-2023-7028) has a CVSSv3 score of 10.0 and should be patched immediately. This affects both GitLab Community Edition (CE) and Enterprise Edition (EE).



  • CVE-2023-7028 [2] - A user account password reset email could be sent to an unverified email address, enabling easy account take-over. (Note that users who have two-factor authentication enabled are vulnerable to password reset but not account take-over.) This vulnerability was introduced in v16.1.0 on May 1, 2023.
  • CVE-2023-5356 [3] - An attacker can abuse Slack/Mattermost integrations to execute "slash" commands as another user.
  • CVE-2023-4812 [4] - The required CODEOWNERS approval can be bypassed by adding changes to a previously approved merge request.


Affected Software

  • GitLab 16.1 < v16.1.6
  • GitLab 16.2 < v16.2.9
  • GitLab 16.3 < v16.3.7
  • GitLab 16.4 < v16.4.5
  • GitLab 16.5 < v16.5.6
  • GitLab 16.6 < v16.6.4
  • GitLab 16.7 < v16.7.2



Upgrade to the latest patched version of GitLab for your installation [5]. Enable two-factor authentication [6] for all GitLab accounts, especially for administrators.










How Trusted CI can help:

The potential impact of any vulnerability, and therefore the appropriate response, depends in part on operational conditions that are unique to each cyberinfrastructure deployment. Trusted CI cannot provide a one-size-fits-all severity rating and response recommendation for all NSF cyberinfrastructure. Please contact us ( if you need assistance with assessing the potential impact of this vulnerability in your environment and/or you have additional information about this issue that should be shared with the community.


Reply all
Reply to author
0 new messages