The U.S. Cybersecurity and Infrastructure Safety Company (CISA) has added a essential flaw impacting GitLab to its Identified Exploited Vulnerabilities (KEV) catalog, owing to lively exploitation within the wild.
Tracked as CVE-2023-7028 (CVSS rating: 10.0), the utmost severity vulnerability might facilitate account takeover by sending password reset emails to an unverified e-mail handle.
GitLab, which disclosed particulars of the shortcoming earlier this January, stated it was launched as a part of a code change in model 16.1.0 on Might 1, 2023.
“Inside these variations, all authentication mechanisms are impacted,” the corporate famous on the time. “Moreover, customers who’ve two-factor authentication enabled are weak to password reset however not account takeover as their second authentication issue is required to login.”
Profitable exploitation of the difficulty can have critical penalties because it not solely permits an adversary to take management of a GitLab person account, but in addition steal delicate data, credentials, and even poison supply code repositories with malicious code, main to produce chain assaults.
“For example, an attacker having access to the CI/CD pipeline configuration might embed malicious code designed to exfiltrate delicate knowledge, equivalent to Personally Identifiable Info (PII) or authentication tokens, redirecting them to an adversary-controlled server,” cloud security agency Mitiga stated in a current report.
“Equally, tampering with repository code would possibly contain inserting malware that compromises system integrity or introduces backdoors for unauthorized entry. Malicious code or abuse of the pipeline might result in knowledge theft, code disruption, unauthorized entry, and provide chain assaults.”
The flaw has been addressed in GitLab variations 16.5.6, 16.6.4, and 16.7.2, with the patches additionally backported to variations 16.1.6, 16.2.9, 16.3.7, and 16.4.5.
CISA has but to offer some other particulars as to how the vulnerability is being exploited in real-world assaults. In gentle of lively customers, federal companies are required to use the most recent fixes by Might 22, 2024, to safe their networks.
