The United States Cybersecurity and Infrastructure Security Agency (CISA) has included a significant flaw affecting GitLab in its Known Exploited Vulnerabilities (KEV) list, due to ongoing exploitation in the wild.
Identified as CVE-2023-7028 (CVSS score: 10.0), this critical vulnerability could enable unauthorized access by dispatching password reset notifications to an unvalidated email address.
GitLab, which divulged specifics of the deficiency earlier this January, stated that it was introduced through a code alteration in version 16.1.0 on May 1, 2023.
“During these iterations, all authentication mechanisms are affected,” remarked the organization at that time. “Furthermore, users employing two-factor authentication remain susceptible to password resets but are shielded from account hijacking as their secondary authentication measure is mandatory for logging in.”
Successful manipulation of this issue could yield grave repercussions as it not only permits an attacker to seize control of a GitLab user profile but also filch confidential data, login credentials, and even contaminate source code repositories with malevolent scripts, potentially leading to supply chain assaults.
“For instance, a malicious actor gaining entry to the CI/CD pipeline configuration could integrate harmful scripts engineered to extract sensitive data, such as Personally Identifiable Information (PII) or authentication tokens, rerouting them to a server under the adversary’s control,” remarked cloud security enterprise Mitiga in a recent analysis.
“Likewise, meddling with repository code may encompass the insertion of malware that jeopardizes system integrity or introduces clandestine access points for unauthorized entry. Malevolent scripts or misuse of the pipeline might result in data theft, code disruption, unauthorized entry, and supply chain attacks.”
The vulnerability has been rectified in GitLab versions 16.5.6, 16.6.4, and 16.7.2, with the corrective measures also retroactively applied to versions 16.1.6, 16.2.9, 16.3.7, and 16.4.5.
CISA has yet to furnish further insights into the real-world exploitation of this vulnerability. In view of the ongoing misuse, federal entities are mandated to implement the latest patches by May 22, 2024, to fortify their networks.
