Over 5,300 internet-exposed GitLab instances face a severe security threat due to a zero-click account takeover flaw, CVE-2023-7028, recently highlighted by GitLab. This critical vulnerability, with a CVSS score of 10.0, enables attackers to initiate password reset emails for a targeted account to an email address under their control, ultimately allowing the takeover of the account. Despite not bypassing two-factor authentication (2FA), the flaw poses a substantial risk to accounts without this added security layer. The impacted versions include GitLab Community and Enterprise Edition versions ranging from 16.1 to 16.7, with GitLab releasing patches on January 11, 2024.
GitLab’s security updates, encompassing versions 16.7.2, 16.5.6, and 16.6.4, along with backported patches for earlier versions, were released to address the identified vulnerability. Despite these fixes being available for 13 days, ShadowServer’s threat monitoring service reports that 5,379 vulnerable GitLab instances remain exposed online. The majority of these instances are located in the United States, followed by Germany, Russia, China, France, the U.K., India, and Canada. Given GitLab’s role as a software development and project planning platform, the severity of the flaw implies risks of supply chain attacks, proprietary code disclosure, API key leaks, and other malicious activities.
Security experts stress the urgency of addressing this vulnerability promptly, as the exposed GitLab instances are susceptible to potential compromises, including supply chain attacks and unauthorized access. GitLab advises administrators to follow its incident response guide, check for signs of compromise, and take corrective actions such as credential rotation, enabling 2FA on all accounts, and applying the provided security updates. While there are no confirmed cases of active exploitation as of now, security professionals emphasize the importance of immediate action to mitigate potential risks associated with the CVE-2023-7028 vulnerability.
