The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has included a critical vulnerability affecting GitLab in its Known Exploited Vulnerabilities (KEV) catalog due to ongoing exploitation in the wild.
Known as CVE-2023-7028 (CVSS score: 10.0), this high-severity vulnerability could enable account takeover by sending password reset emails to an unverified email address.
GitLab disclosed details of this issue in January, revealing that it was introduced in version 16.1.0 on May 1, 2023.
“Within these versions, all authentication mechanisms are affected,” the company stated. “Additionally, users with two-factor authentication enabled are susceptible to password reset attacks, although account takeover requires the second authentication factor for login.”
Exploiting this vulnerability could result in severe consequences, allowing an attacker not only to gain control of a GitLab user account but also to steal sensitive information, credentials, and potentially inject malicious code into source code repositories, leading to supply chain attacks.
“For example, an attacker gaining access to the CI/CD pipeline configuration could insert malicious code to extract sensitive data like Personally Identifiable Information (PII) or authentication tokens, redirecting them to a server controlled by the attacker,” explained cloud security firm Mitiga in a recent report.
“Likewise, modifying repository code could involve inserting malware compromising system integrity or introducing backdoors for unauthorized access. Malicious code or misuse of the pipeline could result in data theft, disruption of code, unauthorized access, and supply chain attacks.”
The vulnerability has been patched in GitLab versions 16.5.6, 16.6.4, and 16.7.2, with the patches also applied to earlier versions 16.1.6, 16.2.9, 16.3.7, and 16.4.5.
CISA has not provided additional details regarding how the vulnerability is being exploited in real-world attacks. However, given the active exploitation, federal agencies are mandated to apply the latest fixes by May 22, 2024, to safeguard their networks.