GitLab Critical Security Release 16.7.2 (CVE-2023-7028)

25 views
Skip to first unread message

Fleury, Terry

unread,
Jan 12, 2024, 1:39:43 PMJan 12
to cv-an...@trustedci.org

CI Operators:

GitLab has released v16.7.2 [1] to address two critical security vulnerabilities and one high security vulnerability. One vulnerability (CVE-2023-7028) has a CVSSv3 score of 10.0 and should be patched immediately. This affects both GitLab Community Edition (CE) and Enterprise Edition (EE).

 

Impact:

  • CVE-2023-7028 [2] - A user account password reset email could be sent to an unverified email address, enabling easy account take-over. (Note that users who have two-factor authentication enabled are vulnerable to password reset but not account take-over.) This vulnerability was introduced in v16.1.0 on May 1, 2023.
  • CVE-2023-5356 [3] - An attacker can abuse Slack/Mattermost integrations to execute "slash" commands as another user.
  • CVE-2023-4812 [4] - The required CODEOWNERS approval can be bypassed by adding changes to a previously approved merge request.

 

Affected Software

  • GitLab 16.1 < v16.1.6
  • GitLab 16.2 < v16.2.9
  • GitLab 16.3 < v16.3.7
  • GitLab 16.4 < v16.4.5
  • GitLab 16.5 < v16.5.6
  • GitLab 16.6 < v16.6.4
  • GitLab 16.7 < v16.7.2

 

Recommendation:

Upgrade to the latest patched version of GitLab for your installation [5]. Enable two-factor authentication [6] for all GitLab accounts, especially for administrators.

 

References:

[1] https://about.gitlab.com/releases/2024/01/11/critical-security-release-gitlab-16-7-2-released/

[2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-7028

[3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5356 

[4] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4812 

[5] https://about.gitlab.com/releases/categories/releases/

[6] https://docs.gitlab.com/ee/security/two_factor_authentication.html 

 

How Trusted CI can help:

The potential impact of any vulnerability, and therefore the appropriate response, depends in part on operational conditions that are unique to each cyberinfrastructure deployment. Trusted CI cannot provide a one-size-fits-all severity rating and response recommendation for all NSF cyberinfrastructure. Please contact us (https://trustedci.org/help/) if you need assistance with assessing the potential impact of this vulnerability in your environment and/or you have additional information about this issue that should be shared with the community.

 

Reply all
Reply to author
Forward
0 new messages