A new critical vulnerability impacting GitLab, identified as CVE-2023-7028, has received a CVSS 3.1 score of 10. The Stormshield Customer Security Lab unveils our protection offerings.
The context of the CVE-2023-7028
A new vulnerability bearing the number CVE-2023-7028 has been discovered in Gitlab Community Edition and Gitlab Enterprise Edition in the following versions:
- For the branch 16.1, all versions prior to 16.1.6;
- For the branch 16.2, all versions prior to 16.2.9;
- For the branch 16.3, all versions prior to 16.3.7;
- For the branch 16.4, all versions prior to 16.4.5;
- For the branch 16.5, all versions prior to 16.5.6;
- For the branch 16.6, all versions prior to 16.6.4;
- For the branch 16.7, all versions prior to 16.7.2.
This vulnerability allows a remote attacker to redefine the password of any GitLab account by exploiting a specificity around the password recovery procedure of the account.
The technical details of the CVE-2023-7028
During the password recovery request, the server can accept multiple email addresses, as long as the first one is linked to a valid account. As a result, attackers can freely specify any email address under their control, receive the password reset mail, define a new password of their choice and connect to the stolen account right after.
It's important to state that, if activated, the multifactor authentication mitigates the risk because attackers would also need to get access to the second authentication factor in order to connect to the account.
CVE-2023-7028 and Stormshield protections
Stormshield Network Security
The following IPS signature detects and prevents the exploitation of this vulnerability on an On-Premise GitLab:
- http:mix.355: Exploitation of an account takeover vulnerability in Gitlab (CVE-2023-7028)
For the signature to detect exploitation of this vulnerability, the SSL proxy must be enabled.
Confidence index for the protection offered by Stormshield
Confidence index for the absence of false positives
We strongly recommend that you update your version of GitLab as soon as possible, as this is the only way to prevent this attack.