Facebook Pixel

Major security flaw in some versions of GitLab: A critical security alert and actions to take


Major security flaw in some versions of GitLab: A critical security alert and actions to take

This week, our team encountered a serious major GitLab security breach. Indeed, we received a notification of an administrator password change. And yet, we had not initiated any action in this direction. This incident revealed a critical vulnerability, CVE-2023-7028, in certain versions of GitLab. This vulnerability allows attackers to bypass accounts without requiring user intervention. In this article, we detail our experience. We will also explain the steps to follow to protect your data and avoid the consequences of this security breach.

What we experienced

We were alerted by an email notification message confirming the change to our administrator password. During our failed login attempts, we had to reset the password to regain access to our account. At this point, a message warned us to urgently update GitLab due to a critical flaw, CVE-2023-7028. This vulnerability allows anyone to trigger a reset link to any email address. This compromises the security of GitLab accounts.

Vulnerability Details

The security flaw, identified as CVE-2023-7028, exploits a change introduced in version 16.1.0 in May 2023. This change allowed users to perform password resets through a secondary email address. Attackers can exploit this vulnerability by sending a specially crafted HTTP request to trigger the sending of a password reset email. Therefore, they may receive a link to an email address that they control.

Affected GitLab versions include

  • 16.1 to 16.1.5
  • 16.2 to 16.2.8
  • 16.3 to 16.3.6
  • 16.4 to 16.4.4
  • 16.5 to 16.5.5
  • 16.6 to 16.6.3
  • 16.7 to 16.7.1

All authentication mechanisms, including some using single sign-on (SSO), are vulnerable. GitLab recommends disabling password authentication for self-managed clients with an external identity provider configured. It also recommends enabling two-level authentication.

Corrective Measures to Fix Major GitLab Security Flaw

To mitigate this vulnerability while awaiting final patching, you must enable two-factor authentication (2FA) for all accounts. Although users with 2FA enabled are not vulnerable to account takeover, it is essential to maintain increased vigilance. GitLab only supports 2FA that is app-based or delivered via a WebAuthn device, providing enhanced security. GitLab also offers a security patch that you can find on their website.

Conclusion

Although there is no evidence of successful exploitation of this flaw at the time of its disclosure, it is imperative to take immediate action to protect GitLab instances. Administrators, apply security patches as soon as possible and encourage the continued use of two-factor authentication for all accounts. Data and source code security should be a top priority, and prevention is the key to avoiding serious consequences of a security breach. Do you need assistance installing or securing your GitLab? Contact us .

Leave a comments:

We use cookies to ensure that we give you the best experience on our website. By continuing to use this site, you consent to our use of cookies. ... Our policy