Skip to the content.

DIVD-2024-00002 - Account takeover vulnerability in Gitlab CE/EE

Our reference DIVD-2024-00002
Case lead Stan Plasmeijer
Author
Researcher(s)
CVE(s)
Products
  • Gitlab Enterprise Edition
  • Gitlab Community Edition
Versions
  • 16.1 prior to 16.1.5
  • 16.2 prior to 16.2.8
  • 16.3 prior to 16.3.6
  • 16.4 prior to 16.4.4
  • 16.5 prior to 16.5.6
  • 16.6 prior to 16.6.4
  • 16.7 prior to 16.7.2
Recommendation Patch your Gitlab instance to the non vulnerable version
Patch status Released
Status open
Last modified 15 Jan 2024 21:20

Summary

An account takeover vulnerability via password reset without any user interactions was discovered in Gitlab CE/EE. This vulnerability is tracked as CVE-2023-7028 and can allow an attacker to take control over administrator accounts. Gitlab has released a patch to remediate the vulnerability. This vulnerability is currently exploited in the wild.

What you can do

Given that there is active exploitation, it is crucial to patch the system as soon as possible. Gitlab recommends patching the system and enabling Two-Factor Authentication (2FA) for all GitLab accounts.

What we are doing

DIVD is currently working to identify vulnerable instances and notify the owners of these systems. We do this by scanning for exposed Gitlab instances, and checking the version number to determine whether the vulnerability is present. Owners of vulnerable instances receive a notification with the host information and mitigation steps.

Timeline

Date Description
12 Jan 2024 DIVD receives signals about a vulnerability in Gitlab EE/CE and starts fingerprinting
13 Jan 2024 “DIVD starts scanning for vulnerable instances.”
13 Jan 2024 “Case opened, first version of this casefile.”
15 Jan 2024 “DIVD starts notifying customers with a vulnerable instance. “
gantt title DIVD-2024-00002 - Account takeover vulnerability in Gitlab CE/EE dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2024-00002 - Account takeover vulnerability in Gitlab CE/EE (still open) :2024-01-12, 2024-03-04 section Events DIVD receives signals about a vulnerability in Gitlab EE/CE and starts fingerprinting : milestone, 2024-01-12, 0d “DIVD starts scanning for vulnerable instances.” : milestone, 2024-01-13, 0d “Case opened, first version of this casefile.” : milestone, 2024-01-13, 0d “DIVD starts notifying customers with a vulnerable instance. “ : milestone, 2024-01-15, 0d

More information