This alert may not be shared outside your organization, Do Not Repost or send, place on other websites, List servers, or send to others via email, including other associations or parties. Members and Law enforcement use only. Contact us for any permissions. To do otherwise will result in the loss of membership.
GitLab Fixes Password Reset Bug That Allows Account Takeover
GitLab is releasing a patch to fix a vulnerability in its email verification process that bad actors can exploit to reset user passwords and take over accounts.
The flaw, CVE-2023-7028, was introduced in May 2023 in GitLab 16.1.0, in which a change was made that allowed users to reset their password through a secondary email address.
The fix was introduced with the release this month of versions 16.7.2, 16.6.4, 16.5.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).
“The vulnerability is a result of a bug in the email verification process,” GitLab security engineer Greg Myers wrote in an notification. “The bug has been fixed with this patch and … we have implemented a number of preventive security measures to protect customers.”
Password Reset Process at Risk
The vulnerability could allow attackers to take over the password reset process by having password reset messages sent to unverified email addresses. It also could enable threat actors to take over accounts.