GitLab has addressed a critical authentication vulnerability, tracked as CVE-2023-7028, that could allow attackers to hijack the password reset process. The flaw, introduced in GitLab version 16.1.0, enabled password reset messages to be sent to unverified email addresses, potentially leading to account takeovers. This vulnerability affected all user accounts allowing logins with usernames and passwords, including those with single sign-on (SSO) options. While accounts with two-factor authentication (2FA) were vulnerable to password reset attacks, the flaw didn’t provide access to the second-factor authentication method.
The issue was discovered in GitLab version 16.1.0, which introduced the option to send password reset emails to secondary email addresses to address cases where users couldn’t reset passwords due to lack of access to the primary email inbox. However, a bug in the email verification process allowed password reset messages to be sent to unverified email addresses. GitLab has urged users to update their self-managed instances to patched versions and enable 2FA for all accounts. The vulnerability was patched in GitLab versions 16.5.6, 16.6.4, and 16.7.2, with backports to versions 16.1.6, 16.2.9, 16.3.7, and 16.4.5.
In addition to CVE-2023-7028, GitLab addressed another critical-severity bug, CVE-2023-5356, allowing attackers to exploit Slack/Mattermost integrations to execute slash commands as another user. The updates also resolved a high-severity flaw related to CODEOWNERS approval bypass, a medium-severity access control issue in GitLab Remote Development, and a low-severity flaw allowing attackers to modify the metadata of signed commits. GitLab has not detected any abuse of the vulnerability on its managed platforms, including GitLab.com and GitLab Dedicated instances.