GitLab has released important security fixes for versions 16.7.2, 16.6.4, and 16.5.6 for GitLab Community Edition (CE) and Enterprise Edition (EE). The fixes include multiple bugs, including a critical account takeover vulnerability that does not require user interaction.
However, other fixes were approval and removal bypass from CODEOWNERS, execution of slash commands by abusing Slack/Mattermost integrations, new workspace creation under different root namespaces, and a commit signature validation ignore.
The CVEs for these vulnerabilities are CVE-2023-7028, CVE-2023-4812, CVE-2023-5356, CVE-2023-6955, and CVE-2023-2030. The severity for these vulnerabilities ranges between 3.5 (Low) to 10.0 (Critical).
Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Try Trustifi Free Threat Scan with Sophisticated AI-Powered Email Protection .
Vulnerable GitLab Servers
CVE-2023-7028: Account Takeover
A threat actor can exploit this vulnerability and reroute the user account password reset email to an unverified email address, which could lead to a complete account takeover.
Moreover, this can also be escalated to steal valuable information based on the permission of the compromised account.
This vulnerability is said to be affecting GitLab CE/EE, affecting all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.3 prior to 16.3.7, 16.4 prior to 16.4.5, 16.5 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2.
Additional reports from ShadowServer indicate that more than 5379 servers were potentially vulnerable to this Account takeover vulnerability, with 900+ servers in the US and 700+ servers in Germany.
Cause of this vulnerability
GitLab mentioned that a change was made in the 16.1.0 version of GitLab, which allows users to reset their password with a secondary email address. This change had a bug in the email verification process that led to the rise of this vulnerability.
However, GitLab has implemented several preventive measures to protect customers from threat actors.
Mitigation Steps
According to the reports shared with Cyber Security News, this vulnerability has been fixed in the latest release version of GitLab release. In addition to this, GitLab also stated that there was no evidence of this vulnerability being exploited in the wild by threat actors.
For self-managed customers, the logs for possible attempts of exploitation can be viewed by
checking gitlab-rails/production_json.log for HTTP requests to the /users/password path with params.value.email that contains a JSON array with multiple email addresses.
Additionally, the gitlab-rails/audit_json.log can be checked for entries with meta.caller_id of PasswordsController#create and target_details consisting of a JSON array with multiple email addresses.
CVE-2023-4812: Bypass CODEOWNERS approval removal
This vulnerability allows a threat actor to bypass the CODEOWNERS approval by adding changes to a previously approved merge request. GitLab stated this as a high-severity vulnerability with a severity rating of 7.6 (High).
CVE-2023-5356: Attacker can Abuse Slack/Mattermost
A threat actor abuses Slack/Mattermost integrations due to incorrect authorization checks, which could allow the execution of slash commands in the context of another user. The severity for this vulnerability was given as 7.3 (High).
CVE-2023-6955: Workspaces under different root namespace
This vulnerability exists due to improper access control in the GitLab Remote development, which could allow a threat actor to create a workspace in one group associated with an agent from another group. The severity for this vulnerability was given as 6.6 (Medium).
This vulnerability could allow a threat actor to modify the metadata of signed commits potentially. However, this was mentioned as a low severity vulnerability with a score of 3.3 (Low) given by GitLab.
Furthermore, a complete report about these vulnerabilities has been published by GitLab, which provides detailed information about the existence, affected versions, fixes, security measures, and other information.
It is recommended for users of GitLab to upgrade to the latest version to prevent these vulnerabilities from getting exploited by threat actors.