GitLab has released crucial security updates for both its Community and Enterprise Editions to counteract two critical vulnerabilities. One of these vulnerabilities has the potential for account hijacking with no user interaction, posing a significant threat to organizations relying on GitLab for their DevSecOps platform.
CVE-2023-7028 (Severity: 10/10)
The most severe security issue, tracked as CVE-2023-7028, stands out with a maximum severity score of 10 out of 10.
This GitLab flaw allows for account takeover without any user interaction, creating a serious risk for organizations. The vulnerability lies in an authentication problem that enables password reset requests to be sent to arbitrary, unverified email addresses. Even if two-factor authentication (2FA) is active, a password reset is possible, but successful login still requires the second authentication factor.
CVE-2023-7028 was discovered and reported by security researcher ‘Asterion’ via the HackerOne bug bounty platform. Introduced on May 1, 2023, with version 16.1.0, it impacts several versions, including those prior to 16.7.2. GitLab strongly urges users to update to the patched versions (16.7.2, 16.5.6, and 16.6.4) or apply the fix backported to versions 16.1.6, 16.2.9, and 16.3.7.
CVE-2023-5356 (Severity: 9.6/10)
The second critical vulnerability, identified as CVE-2023-5356, carries a severity score of 9.6 out of 10. This flaw allows attackers to exploit Slack/Mattermost integrations, executing slash commands as another user. In both Mattermost and Slack, slash commands play a crucial role in integrating external applications and invoking apps in the message composer box.
In addition to these critical vulnerabilities, GitLab has tackled various other issues in its latest release, version 16.7.2, including:
CVE-2023-4812: CODEOWNERS Bypass (Severity: High)
GitLab 15.3 and subsequent versions faced a high-severity vulnerability, denoted as CVE-2023-4812. This flaw allowed the circumvention of CODEOWNERS approval by manipulating previously sanctioned merge requests. The potential for unauthorized changes posed a significant risk to the integrity of the version control system.
CVE-2023-6955: Workspaces Access Control (Severity: Notable)
GitLab versions predating 16.7.2 exhibited improper access control concerning Workspaces, as highlighted in CVE-2023-6955. This flaw enabled attackers to create a workspace within one group, associating it with an agent from an entirely different group. The implications of such unauthorized workspace creation introduced a notable vulnerability in GitLab’s security architecture.
CVE-2023-2030: Commit Signature Validation (Severity: Significant)
A commit signature validation flaw, categorized under CVE-2023-2030, affected GitLab CE/EE versions starting from 12.2 and onward. This flaw presented a significant risk by allowing the modification of metadata associated with signed commits due to inadequacies in the signature validation process. The potential manipulation of commit metadata raised concerns about the overall integrity and authenticity of version-controlled code.