DIVD-2024-00002 - Account takeover vulnerability in Gitlab CE/EE
| Our reference | DIVD-2024-00002 |
| Case lead | Stan Plasmeijer |
| Author | Ralph Horn |
| Researcher(s) | |
| CVE(s) | |
| Products |
|
| Versions |
|
| Recommendation | Patch your Gitlab instance to the non vulnerable version |
| Patch status | Released |
| Status | Closed |
| Last modified | 11 Jun 2024 17:39 CEST |
Summary
An account takeover vulnerability via password reset without any user interactions was discovered in Gitlab CE/EE. This vulnerability is tracked as CVE-2023-7028 and can allow an attacker to take control over administrator accounts. Gitlab has released a patch to remediate the vulnerability. This vulnerability is currently exploited in the wild.
What you can do
Given that there is active exploitation, it is crucial to patch the system as soon as possible. Gitlab recommends patching the system and enabling Two-Factor Authentication (2FA) for all GitLab accounts.
What we are doing
DIVD is currently working to identify vulnerable instances and notify the owners of these systems. We do this by scanning for exposed Gitlab instances, and checking the version number to determine whether the vulnerability is present. Owners of vulnerable instances receive a notification with the host information and mitigation steps.
Timeline
| Date | Description |
|---|---|
| 12 Jan 2024 | DIVD receives signals about a vulnerability in Gitlab EE/CE and starts fingerprinting |
| 13 Jan 2024 | “DIVD starts scanning for vulnerable instances.” |
| 13 Jan 2024 | “Case opened, first version of this casefile.” |
| 15 Jan 2024 | “DIVD starts notifying customers with a vulnerable instance.” |
| 07 May 2024 | DIVD rescans the internet for vulnerable instances |
| 07 May 2024 | DIVD starts notifying network owners with a vulnerable instance for the second time |
| 01 Jun 2024 | DIVD rescans the internet for vulnerable instances |
| 01 Jun 2024 | DIVD starts notifying network owners with a vulnerable instance for the third time |
| 01 Jun 2024 | Case closed |