The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently included a significant vulnerability affecting GitLab in its Known Exploited Vulnerabilities (KEV) catalog, alerting the cybersecurity community to active exploitation. This vulnerability, designated as CVE-2023-7028, carries a CVSS score of 10.0, indicating its critical nature. It permits potential account takeover through the sending of password reset emails to unverified email addresses.
GitLab first revealed this vulnerability in January 2024, noting that it was introduced with a code change in version 16.1.0, which was released on May 1, 2023. According to the company, this flaw impacts all authentication mechanisms in these versions. Notably, users who have two-factor authentication enabled face a heightened risk of password reset, although they are protected from account takeover due to the necessity of the second authentication factor for login.
The implications of this vulnerability are serious. Should an attacker successfully exploit it, they could not only gain unauthorized access to a GitLab user account but also potentially extract sensitive information and credentials. This could lead to jeopardizing source code repositories, embedding malicious code, and triggering supply chain attacks, highlighting a critical risk for organizations relying on GitLab’s platform.
Cloud security firm Mitiga elaborated on these dangers, stating that an attacker with access to the CI/CD pipeline configuration could insert malicious code designed to compromise sensitive data, such as Personally Identifiable Information (PII) or authentication tokens. Their report emphasized the risks of malware being added to repository code, which could degrade system integrity or create backdoors for unauthorized access.
GitLab has released patches in versions 16.5.6, 16.6.4, and 16.7.2, with retroactive updates provided for versions 16.1.6, 16.2.9, 16.3.7, and 16.4.5. Despite this, CISA has not yet disclosed specific details about the methods of exploitation in current attacks. In response to the ongoing threat, federal agencies must implement these updates by May 22, 2024, to enhance their defenses against potential breaches.
In the context of the MITRE ATT&CK framework, this vulnerability illustrates tactics common in adversary operations, such as initial access, where unsolicited password reset emails serve as a foothold for further exploitation. The potential for privilege escalation is also evident, as attackers can leverage compromised credentials to gain elevated permissions within the affected systems.
The ongoing risks associated with CVE-2023-7028 underscore the urgent need for businesses using GitLab to not only update to the latest versions but also strengthen their overall security postures. As cyber threats continue to evolve, a proactive approach is essential for safeguarding critical assets against evolving adversarial techniques.