CISA adds GitLab flaw to its Known Exploited Vulnerabilities catalog

CISA adds GitLab Community and Enterprise Editions improper access control vulnerability to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a GitLab Community and Enterprise Editions improper access control vulnerability to its Known Exploited Vulnerabilities (KEV) catalog.

The issue, tracked as CVE-2023-7028 (CVSS score: 10.0), is an account takeover via Password Reset. The flaw can be exploited to hijack an account without any interaction.

“An issue has been discovered in GitLab CE/EE affecting all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.3 prior to 16.3.7, 16.4 prior to 16.4.5, 16.5 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2 in which user account password reset emails could be delivered to an unverified email address.” reads the advisory published by GitLab.

The flaw impacts the following versions:

• 16.1 prior to 16.1.5
• 16.2 prior to 16.2.8
• 16.3 prior to 16.3.6
• 16.4 prior to 16.4.4
• 16.5 prior to 16.5.6
• 16.6 prior to 16.6.4
• 16.7 prior to 16.7.2

GitLab addressed the flaw with the releases 16.7.2, 16.5.6, and 16.6.4. The company backported security patches to 16.1.6, 16.2.9, and 16.3.7.

Self-managed customers are recommended to review their logs to check for possible attempts to exploit this vulnerability:

• Check gitlab-rails/production_json.log for HTTP requests to the /users/password path with params.value.email consisting of a JSON array with multiple email addresses.
• Check gitlab-rails/audit_json.log for entries with meta.caller.id of PasswordsController#create and target_details consisting of a JSON array with multiple email addresses.

Researchers from ShadowServer still report thousands of instances exposed online that are vulnerable to this flaw, most of them in the US, Germany and Russia.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix this vulnerability by May 22, 2024.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, CISA)