Security News > 2024 > January > GitLab warns of critical zero-click account hijacking vulnerability
GitLab has released security updates for both the Community and Enterprise Edition to address two critical vulnerabilities, one of them allowing account hijacking with no user interaction.
The most critical security issue GitLab patched has the maximum severity score and is being tracked as CVE-2023-7028.
Hijacking a GitLab account can have a significant impact on an organization since the platform is typically used to host proprietary code, API keys and other sensitive data.
Another risk is that of supply chain attacks where attackers can compromise repositories by inserting malicious code in live environments when GitLab is used for CI/CD. The issue was discovered and reported to GitLab by security researcher 'Asterion' via the HackerOne bug bounty platform and was introduced on May 1, 2023, with version 16.1.0.
CVE-2023-4812: High-severity vulnerability in GitLab 15.3 and later, enabling the bypassing of CODEOWNERS approval by making changes to a previously approved merge request.
CVE-2023-6955: Improper access control for Workspaces existing in GitLab prior to 16.7.2, allowing attackers to create a workspace in one group associated with an agent from another group.
News URL
Related news
- Hackers target critical zero-day vulnerability in PTZ cameras (source)
- Cisco Releases Patch for Critical URWB Vulnerability in Industrial Wireless Systems (source)
- Critical vulnerability in Cisco industrial wireless access points fixed (CVE-2024-20418) (source)
- CISA Alerts to Active Exploitation of Critical Palo Alto Networks Vulnerability (source)
- Urgent: Critical WordPress Plugin Vulnerability Exposes Over 4 Million Sites (source)
- Critical SailPoint IdentityIQ Vulnerability Exposes Files to Unauthorized Access (source)
- Veeam Issues Patch for Critical RCE Vulnerability in Service Provider Console (source)
- PoC exploit for critical WhatsUp Gold RCE vulnerability released (CVE-2024-8785) (source)
- Critical OpenWrt Vulnerability Exposes Devices to Malicious Firmware Injection (source)
- BeyondTrust Issues Urgent Patch for Critical Vulnerability in PRA and RS Products (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-01-12 | CVE-2023-7028 | Weak Password Recovery Mechanism for Forgotten Password vulnerability in Gitlab An issue has been discovered in GitLab CE/EE affecting all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.3 prior to 16.3.7, 16.4 prior to 16.4.5, 16.5 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2 in which user account password reset emails could be delivered to an unverified email address. | 9.8 |
| 2024-01-12 | CVE-2023-6955 | Missing Authorization vulnerability in Gitlab A missing authorization check vulnerability exists in GitLab Remote Development affecting all versions prior to 16.5.6, 16.6 prior to 16.6.4 and 16.7 prior to 16.7.2. | 5.3 |
| 2024-01-12 | CVE-2023-4812 | Unspecified vulnerability in Gitlab An issue has been discovered in GitLab EE affecting all versions starting from 15.3 before 16.5.6, all versions starting from 16.6 before 16.6.4, all versions starting from 16.7 before 16.7.2. | 5.3 |