Security News > 2024 > January > GitLab warns of critical zero-click account hijacking vulnerability
GitLab has released security updates for both the Community and Enterprise Edition to address two critical vulnerabilities, one of them allowing account hijacking with no user interaction.
The most critical security issue GitLab patched has the maximum severity score and is being tracked as CVE-2023-7028.
Hijacking a GitLab account can have a significant impact on an organization since the platform is typically used to host proprietary code, API keys and other sensitive data.
Another risk is that of supply chain attacks where attackers can compromise repositories by inserting malicious code in live environments when GitLab is used for CI/CD. The issue was discovered and reported to GitLab by security researcher 'Asterion' via the HackerOne bug bounty platform and was introduced on May 1, 2023, with version 16.1.0.
CVE-2023-4812: High-severity vulnerability in GitLab 15.3 and later, enabling the bypassing of CODEOWNERS approval by making changes to a previously approved merge request.
CVE-2023-6955: Improper access control for Workspaces existing in GitLab prior to 16.7.2, allowing attackers to create a workspace in one group associated with an agent from another group.
News URL
Related news
- Critical FortiClient EMS vulnerability fixed, (fake?) PoC for sale (CVE-2023-48788) (source)
- Fortra Patches Critical RCE Vulnerability in FileCatalyst Transfer Tool (source)
- PoC exploit for critical Fortra FileCatalyst MFT vulnerability released (CVE-2024-25153) (source)
- Ivanti Releases Urgent Fix for Critical Sentry RCE Vulnerability (source)
- AWS Patches Critical 'FlowFixation' Bug in Airflow Service to Prevent Session Hijacking (source)
- Critical Unpatched Ray AI Platform Vulnerability Exploited for Cryptocurrency Mining (source)
- Critical 'BatBadBut' Rust Vulnerability Exposes Windows Systems to Attacks (source)
- Fortinet Rolls Out Critical Security Patches for FortiClientLinux Vulnerability (source)
- A critical vulnerability in Delinea Secret Server allows auth bypass, admin access (source)
- PoC for critical Progress Flowmon vulnerability released (CVE-2024-2389) (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-01-12 | CVE-2023-7028 | Weak Password Recovery Mechanism for Forgotten Password vulnerability in Gitlab An issue has been discovered in GitLab CE/EE affecting all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.3 prior to 16.3.7, 16.4 prior to 16.4.5, 16.5 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2 in which user account password reset emails could be delivered to an unverified email address. | 7.5 |
| 2024-01-12 | CVE-2023-6955 | Exposure of Resource to Wrong Sphere vulnerability in Gitlab An improper access control vulnerability exists in GitLab Remote Development affecting all versions prior to 16.5.6, 16.6 prior to 16.6.4 and 16.7 prior to 16.7.2. | 5.3 |
| 2024-01-12 | CVE-2023-4812 | Unspecified vulnerability in Gitlab An issue has been discovered in GitLab EE affecting all versions starting from 15.3 before 16.5.6, all versions starting from 16.6 before 16.6.4, all versions starting from 16.7 before 16.7.2. | 5.3 |