DIVD-2024-00002 - Account takeover vulnerability in Gitlab CE/EE
| Our reference | DIVD-2024-00002 |
| Case lead | Stan Plasmeijer |
| Author | Ralph Horn |
| Researcher(s) | |
| CVE(s) | |
| Products |
|
| Versions |
|
| Recommendation | Patch your Gitlab instance to the non vulnerable version |
| Patch status | Released |
| Status | Open |
| Last modified | 10 Apr 2024 21:52 |
Summary
An account takeover vulnerability via password reset without any user interactions was discovered in Gitlab CE/EE. This vulnerability is tracked as CVE-2023-7028 and can allow an attacker to take control over administrator accounts. Gitlab has released a patch to remediate the vulnerability. This vulnerability is currently exploited in the wild.
What you can do
Given that there is active exploitation, it is crucial to patch the system as soon as possible. Gitlab recommends patching the system and enabling Two-Factor Authentication (2FA) for all GitLab accounts.
What we are doing
DIVD is currently working to identify vulnerable instances and notify the owners of these systems. We do this by scanning for exposed Gitlab instances, and checking the version number to determine whether the vulnerability is present. Owners of vulnerable instances receive a notification with the host information and mitigation steps.
Timeline
| Date | Description |
|---|---|
| 12 Jan 2024 | DIVD receives signals about a vulnerability in Gitlab EE/CE and starts fingerprinting |
| 13 Jan 2024 | “DIVD starts scanning for vulnerable instances.” |
| 13 Jan 2024 | “Case opened, first version of this casefile.” |
| 15 Jan 2024 | “DIVD starts notifying customers with a vulnerable instance. “ |