The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical flaw affecting GitLab to its Known Exploited Vulnerabilities (KEV) catalog due to active exploitation in the wild.
Tracked target CVE-2023-7028 (CVSS Score: 10.0), a maximum severity vulnerability could allow password reset emails to be sent to unverified email addresses, potentially facilitating account takeover.
GitLab, which revealed details of the flaw earlier this year, said the flaw was introduced as part of code changes in version 16.1.0 on May 1, 2023.
“All authentication mechanisms are affected in these versions,” the company said at the time. “Additionally, a user who has two-factor authentication enabled is vulnerable to password reset, but not to account takeover because logging in requires his second authentication factor. ”
Successful exploitation of this issue could allow an adversary to take control of GitLab user accounts, steal sensitive information and credentials, and even contaminate source code repositories with malicious code, potentially leading to supply chain attacks. This can lead to serious consequences.
“For example, if an attacker gains access to a CI/CD pipeline configuration, they can embed malicious code designed to exfiltrate sensitive data such as personally identifiable information (PII) or authentication tokens on adversary-controlled servers. may be redirected,” the cloud security company said. Mitiga said in his recent report.
“Similarly, tampering with repository code can include the insertion of malware that compromises system integrity or introduces backdoors for unauthorized access. Exploitation can lead to data theft, code disruption, unauthorized access, and supply chain attacks.”
This flaw has been resolved in GitLab versions 16.5.6, 16.6.4, and 16.7.2, and the patch has also been backported to versions 16.1.6, 16.2.9, 16.3.7, and 16.4.5.
CISA has not yet provided any other details about how this vulnerability might be exploited in a real attack. Considering active users, federal agencies must apply the latest patches by May 22, 2024 to protect their networks.
