Security News > 2024 > May > High-severity GitLab flaw lets attackers take over accounts

High-severity GitLab flaw lets attackers take over accounts
2024-05-23 17:43

GitLab patched a high-severity vulnerability that unauthenticated attackers could exploit to take over user accounts in cross-site scripting attacks.

"Today, we are releasing versions 17.0.1, 16.11.3, and 16.10.6 for GitLab Community Edition and Enterprise Edition," GitLab said.

On Wednesday, the company also fixed six other medium-severity security flaws, including a Cross-Site Request Forgery via the Kubernetes Agent Server and a denial-of-service bug that can let attackers disrupt the loading of GitLab web resources.

Hijacked GitLab accounts can have a significant impact, including supply chain attacks, if the attackers insert malicious code in CI/CD environments, compromising an organization's repositories.

Tracked as CVE-2023-7028, this maximum severity security flaw allows unauthenticated attackers to take over GitLab accounts via password resets.

Even though Shadowserver discovered over 5,300 vulnerable GitLab instances exposed online in January, less than half are still reachable at the moment.


News URL

https://www.bleepingcomputer.com/news/security/high-severity-gitlab-flaw-lets-attackers-take-over-accounts/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2024-01-12 CVE-2023-7028 Weak Password Recovery Mechanism for Forgotten Password vulnerability in Gitlab
An issue has been discovered in GitLab CE/EE affecting all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.3 prior to 16.3.7, 16.4 prior to 16.4.5, 16.5 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2 in which user account password reset emails could be delivered to an unverified email address.
network
low complexity
gitlab CWE-640
critical
9.8

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Gitlab 10 47 736 246 58 1087