Security News > 2024 > January > Patch time: Critical GitLab vulnerability exposes 2FA-less users to account takeovers

Attackers targeting vulnerable self-managed GitLab instances could use a specially crafted HTTP request to send a password reset email to an attacker-controlled, unverified email address.
Users with 2FA enabled aren't vulnerable to account takeover, unless the attacker also had control of the 2FA authenticator, but a password reset could still be achieved.
GitLab doesn't support SMS-based 2FA - the most commonly hijacked implementation - only supporting app-based 2FA or that issued via a WebAuthn device, which are much more secure.
A takeover of a GitLab account could mean serious business for attackers, given the amount of intellectual property and source code belonging to organizations held in the DevOps platform.
CVE-2023-6955: An improper access control vulnerability exists in GitLab Remote Development affecting all versions prior to 16.5.6, 16.6 prior to 16.6.4 and 16.7 prior to 16.7.2.
CVE-2023-2030: An issue has been discovered in GitLab CE/EE affecting all versions from 12.2 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2 in which an attacker could potentially modify the metadata of signed commits.
News URL
https://go.theregister.com/feed/www.theregister.com/2024/01/15/critical_gitlab_vulnerability/
Related news
- CrushFTP: Patch critical vulnerability ASAP! (CVE-2025-2825) (source)
- Critical Ingress NGINX Controller Vulnerability Allows RCE Without Authentication (source)
- Mozilla Patches Critical Firefox Bug Similar to Chrome’s Recent Zero-Day Vulnerability (source)
- Still Using an Older Version of iOS or iPadOS? Update Now to Patch These Critical Security Vulnerabilities (source)
- Fortinet Urges FortiSwitch Upgrades to Patch Critical Admin Password Change Flaw (source)
- Gladinet’s Triofox and CentreStack Under Active Exploitation via Critical RCE Vulnerability (source)
- Critical Apache Roller Vulnerability (CVSS 10.0) Enables Unauthorized Session Persistence (source)
- Critical Erlang/OTP SSH Vulnerability (CVSS 10.0) Allows Unauthenticated Code Execution (source)
- Critical Erlang/OTP SSH pre-auth RCE is 'Surprisingly Easy' to exploit, patch now (source)
- Critical Erlang/OTP SSH RCE bug now has public exploits, patch now (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2024-01-12 | CVE-2023-6955 | Missing Authorization vulnerability in Gitlab A missing authorization check vulnerability exists in GitLab Remote Development affecting all versions prior to 16.5.6, 16.6 prior to 16.6.4 and 16.7 prior to 16.7.2. | 5.3 |
2024-01-12 | CVE-2023-2030 | Improper Verification of Cryptographic Signature vulnerability in Gitlab An issue has been discovered in GitLab CE/EE affecting all versions from 12.2 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2 in which an attacker could potentially modify the metadata of signed commits. | 5.3 |