GitLab is releasing a patch to fix a vulnerability in its email verification process that bad actors can exploit to reset user passwords and take over accounts.

The flaw, CVE-2023-7028, was introduced in May 2023 in GitLab 16.1.0, in which a change was made that allowed users to reset their password through a secondary email address.

The fix was introduced with the release this month of versions 16.7.2, 16.6.4, 16.5.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).

“The vulnerability is a result of a bug in the email verification process,” GitLab security engineer Greg Myers wrote in an notification. “The bug has been fixed with this patch and … we have implemented a number of preventive security measures to protect customers.”

Password Reset Process at Risk

The vulnerability could allow attackers to take over the password reset process by having password reset messages sent to unverified email addresses. It also could enable threat actors to take over accounts.

An account takeover “can occur when a meticulously constructed HTTP request is utilized to dispatch a password reset email to an unverified email address within an unpatched version,” cybersecurity services provider Bluefire Redteam wrote in a blog post. “This vulnerability allows unauthorized individuals to gain control over user accounts, potentially leading to unauthorized access and misuse of sensitive information.”

The flaw was found via the DevOps platform’s bug bounty program. So far, GitLab has not seen the vulnerability being exploited on platforms it manages, including GitLab.com and GitLab Dedicated instances, Myers wrote.

That’s good, because CVE-2023-7028 comes with the maximum severity of 10.0 on the CVS scoring system.

The flaw has a wide reach, affecting users accounts that include logins with usernames and passwords. Accounts with single sign-on (SSO) options also are vulnerable, Myers wrote.

“If your configuration allows a username and password to be used in addition to SSO options, then you are impacted,” he wrote. “Disabling all password authentication options … will mitigate the vulnerability for Self-Managed customers that have an external identity provider configured, as this will disable the ability to perform password reset.”

Those with 2FA are Better Protected

Users with two-factor authentication (2FA) enable aren’t vulnerable to an attacker taking over their account, but the bad actor will still be able to reset their password. That said, they won’t be able to access the 2FA method.

“If you are suddenly redirected to login, or see a reset email triggered, please reset your password,” Myers wrote.

The vulnerability affects GitLab CE and EE versions 16.1 through 16.7.1. GitLab is urging users to upgrade self-managed instances to a patched version using the platform’s upgrade path – and not skipping upgrade stops – and to enable 2FA on all GitLab accounts, particularly for users with elevated privileges, such as those with administrator accounts.

Bluefire Redteam wrote that the vulnerability “highlights the importance of implementing strong password policies and multi-factor authentication to protect against such attacks. Gitlab users should promptly update their systems to the latest version and ensure that their passwords are unique and complex.”

The firm also said that organizations need to regularly monitor Gitlab instances for suspicious activity.

The latest release also fixes another high-severity vulnerability – tracked as CVE-2023-5356 and with a CVS rating of 9.6 – that allowed hackers to abuse Slack and Mattermost integrations and execute slash commands as another user.

Threats to the Software Supply Chain

Developer platforms like GitLab are increasingly being targeted by threat groups looking to launch supply-chain attacks by planting malicious code in software that is then sent downstream to users. Vendors, industry groups, and government agencies are pushing such protections as software bills-of-materials (SBOMs) to ensure the security and safety of components being used in software development.

Most recently, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) in November 2023 requested public input into another proposal to bolster security in the software supply chain by creating a unified system for software identification to track such information as know vulnerabilities, available security patches, and approved software.