GitLab, a cornerstone of the DevSecOps ecosystem, is urging users to take immediate action following the discovery of a critical security vulnerability that could lead to zero-click account hijacking. This vulnerability, identified as CVE-2023-7028, has been given the highest severity score of 10/10, indicating the potential for severe impact on affected systems.
The Crucial Role of GitLab in Software Development
GitLab is not just a repository for code; it’s an integral part of the software development lifecycle, offering tools for continuous integration and deployment (CI/CD), issue tracking, and more. Given its access to proprietary code, API keys, and sensitive data, a breach in GitLab’s security could have catastrophic consequences for organizations worldwide.
A Closer Look at the Critical Vulnerabilities
The most severe issue, CVE-2023-7028, allows attackers to hijack GitLab accounts without any user interaction by resetting passwords to unverified email addresses. Worryingly, even accounts protected by two-factor authentication (2FA) are vulnerable to this initial reset, although 2FA would still be required to complete the login process.
Another critical vulnerability, CVE-2023-5356, with a severity score of 9.6/10, enables attackers to execute slash commands in Slack or Mattermost impersonating another user. This could lead to unauthorized actions being taken within these communication platforms.
In addition to these, other vulnerabilities that were fixed include CVE-2023-4812, CVE-2023-6955, and CVE-2023-2030.
Versions of GitLab Affected by the Vulnerabilities
The vulnerabilities affect a range of versions, specifically:
- Versions 16.1 prior to 16.1.5
- Versions 16.2 prior to 16.2.8
- Versions 16.3 prior to 16.3.6
- Versions 16.4 prior to 16.4.4
- Versions 16.5 prior to 16.5.6
- Versions 16.6 prior to 16.6.4
- Versions 16.7 prior to 16.7.2
Updates Released to Address Security Issues
GitLab has responded promptly by releasing fixed versions of their software:
- Version 16.7.2
- Version 16.5.6
- Version 16.6.4
Additionally, backported fixes have been applied to versions 16.1.6, 16.2.9, and 16.3.7.
Assessing the Impact and Looking for Compromises
The potential for supply chain attacks through CI/CD pipelines makes this vulnerability particularly dangerous. GitLab has not detected active exploitation but advises users to check for signs of compromise. Users should review their gitlab-rails/production_json.log
for suspicious HTTP requests to /users/password
and their gitlab-rails/audit_json.log
for entries with meta.caller.id
of PasswordsController#create
.
Urgent Call to Action for GitLab Users
GitLab’s update page provides detailed instructions for updating to the latest, secure versions. For those using the GitLab Runner, the update instructions are also available. The vendor strongly recommends updating as soon as possible, with manual updates required for self-hosted installations.
Echoing the Severity of the Situation
“Hijacking a GitLab account can have a significant impact on an organization since the platform is typically used to host proprietary code, API keys, and other sensitive data,” GitLab cautions. The security researcher ‘Asterion’, who reported CVE-2023-7028 through HackerOne, has played a crucial role in bringing this issue to light.
Conclusion: The Vital Importance of Security Updates
In the ever-evolving landscape of cybersecurity threats, the discovery and prompt resolution of vulnerabilities like CVE-2023-7028 are vital. Organizations relying on GitLab must prioritize these updates to safeguard their assets and maintain the integrity of their operations. As GitLab continues to be a pivotal player in software development, the security of its platform remains paramount for the protection of the digital supply chain.