GitLab fixes account takeover vulnerability

GitLab has patched a critical and trivial-to-exploit account takeover bug.

The attack vector for CVE-2023-7028 is the password reset function.

“User account password reset emails could be delivered to an unverified email address”, the organisation warned in an advisory.

Account takeover requires no user intervention, and GitLab said all users without single sign-on enforcement are vulnerable.

“If your configuration allows a username and password to be used in addition to SSO options, then you are impacted,” the advisory stated.

Although GitLab said it isn’t aware of any exploits in the wild, the bug has existed since May 2023 when version 16.1.0 first shipped.

That version introduced a feature allowing users to issue password resets through a secondary email address.

It affects self-managed GitLab CE/EE versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.3 prior to 16.3.7, 16.4 prior to 16.4.5, 16.5 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2.

Users running two-factor authentication are immune from account takeover unless the attacker also controls the 2FA authenticator, but attackers can still trigger password resets on unpatched instances.

If a user can’t implement the fix immediately, the only mitigation requires the system to use an external identity provider, in which case they can disable all password authentication options.

The issue has attracted the attention of the Australian Signals Directorate, which recommends urgent action.

Other fixes

Other security fixes in the release cover CVE-2023-5356, CVE-2023-4812, CVE-2023-6955, and CVE-2023-2030.

CVE-2023-5356 is an authentication error introduced in 2016 with the release of GitLab 8.13, and “allows a user to abuse Slack/Mattermost integrations to execute slash commands as another user”.

While GitLab’s advisory gives CVE-2023-5356 a CVSS score of 7.3, its National Vulnerability Database entry scores it at 9.6.

Versions between 15.3 (released in August 2022) and 16.5.5 are also subject to CVE-2023-4812 (CVSS score 7.6), which lets an attacker bypass “CODEOWNERS” approval by “adding changes to a previously approved merge request”.

CVE-2023-6955 (CVSS score 6.6) is an improper access control vulnerability in GitLab Remote Development, affecting all versions prior to 16.5.6, 16.6 prior to 16.6.4 and 16.7 prior to 16.7.2; while CVE-2023-2030 (CVSS score 3.5) allows an attacker to modify the metadata of signed commits in all versions from 12.2 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2.