Security News > 2024 > January > GitLab warns of critical zero-click account hijacking vulnerability
![GitLab warns of critical zero-click account hijacking vulnerability](/static/build/img/news/gitlab-warns-of-critical-zero-click-account-hijacking-vulnerability-medium.jpg)
GitLab has released security updates for both the Community and Enterprise Edition to address two critical vulnerabilities, one of them allowing account hijacking with no user interaction.
The most critical security issue GitLab patched has the maximum severity score and is being tracked as CVE-2023-7028.
Hijacking a GitLab account can have a significant impact on an organization since the platform is typically used to host proprietary code, API keys and other sensitive data.
Another risk is that of supply chain attacks where attackers can compromise repositories by inserting malicious code in live environments when GitLab is used for CI/CD. The issue was discovered and reported to GitLab by security researcher 'Asterion' via the HackerOne bug bounty platform and was introduced on May 1, 2023, with version 16.1.0.
CVE-2023-4812: High-severity vulnerability in GitLab 15.3 and later, enabling the bypassing of CODEOWNERS approval by making changes to a previously approved merge request.
CVE-2023-6955: Improper access control for Workspaces existing in GitLab prior to 16.7.2, allowing attackers to create a workspace in one group associated with an agent from another group.
News URL
Related news
- GitLab Releases Patch for Critical CI/CD Pipeline Vulnerability and 13 Others (source)
- Microsoft Issues Patches for 51 Flaws, Including Critical MSMQ Vulnerability (source)
- VMware fixes critical vCenter RCE vulnerability, patch now (source)
- Critical RCE Vulnerability Discovered in Ollama AI Infrastructure Tool (source)
- Critical SQLi Vulnerability Found in Fortra FileCatalyst Workflow Application (source)
- Critical GitLab bug lets attackers run pipelines as any user (source)
- Critical vulnerability in the RADIUS protocol leaves networking equipment open to attack (source)
- GitLab: Critical bug lets attackers run pipelines as other users (source)
- GitLab Patches Critical Flaw Allowing Unauthorized Pipeline Jobs (source)
- Critical Exim Mail Server Vulnerability Exposes Millions to Malicious Attachments (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2024-01-12 | CVE-2023-7028 | Weak Password Recovery Mechanism for Forgotten Password vulnerability in Gitlab An issue has been discovered in GitLab CE/EE affecting all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.3 prior to 16.3.7, 16.4 prior to 16.4.5, 16.5 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2 in which user account password reset emails could be delivered to an unverified email address. | 7.5 |
2024-01-12 | CVE-2023-6955 | Exposure of Resource to Wrong Sphere vulnerability in Gitlab An improper access control vulnerability exists in GitLab Remote Development affecting all versions prior to 16.5.6, 16.6 prior to 16.6.4 and 16.7 prior to 16.7.2. | 5.3 |
2024-01-12 | CVE-2023-4812 | Unspecified vulnerability in Gitlab An issue has been discovered in GitLab EE affecting all versions starting from 15.3 before 16.5.6, all versions starting from 16.6 before 16.6.4, all versions starting from 16.7 before 16.7.2. | 5.3 |