GitLab Vulnerabilities Allow Account Seizure and Command Execution

Publishing corrective updates, Gitlab has released versions 16.7.2, 16.6.4, and 16.5.6 to address two critical vulnerabilities in their joint development platform. The first vulnerability (CVE-2023-7028) has been given a severity level of 10 out of 10 and allows unauthorized access to user accounts through manipulation of the password restoration form. This vulnerability arises from the ability to send a password reset code to unconfirmed email addresses, a feature introduced in Gitlab 16.1.0.

To verify any compromised systems, it is recommended to analyze the log-rails/production_json.log and check for HTTP checks made to the /users/password processor with multiple emails listed in the “Params.value.mail” parameter. Additionally, logs in the log-rails/audit_json.log should be examined for entries with the value of PasswordScontroller#Create in Meta.caller.id and an array of addresses in the Target_Details block. It is important to note that two-factor authentication can prevent the successful execution of this attack.

The second vulnerability, CVE-2023-5356, is present in the code for integrating with Slack and Mattermost services and enables the execution of slash commands under another user’s account due to a lack of proper authorization auditing. This vulnerability has a severity level of 9.6 out of 10. The new versions of Gitlab also address a less severe vulnerability (CVE-2023-4812) with a severity level of 7.6 out of 10, which allows bypassing Codeowners confirmation by adding changes to a previously approved merge request.

Further details about the identified vulnerabilities will be disclosed 30 days after the release of the fixes. Information regarding the vulnerabilities has been provided to Gitlab by hackers through the Gitlab hacker reward program.

/Reports, release notes, official announcements.