Critical GitLab Vulnerability Enables Account Hijacking – Here is what to know, a quick look

In a recent security development, GitLab, a popular web-based Git repository manager, has patched a high-severity vulnerability that poses a significant risk to user accounts. This flaw, tracked as CVE-2023-7028, allows unauthenticated attackers to take over accounts through cross-site scripting (XSS) attacks.

The Vulnerability Explained

The vulnerability stems from a change GitLab implemented in May 2023. This change enabled users to initiate password resets through links sent to secondary email addresses. The intention was to allow password resets when users couldn’t access the primary email address associated with their account. However, this feature inadvertently allowed attackers to send reset emails to accounts they controlled. By clicking on the embedded link in the reset email, attackers could gain unauthorized access to the account.

Notably, this exploit requires no user interaction. However, it only works against accounts that haven’t configured multifactor authentication (MFA). Even with MFA, accounts remain vulnerable to password resets, but the attackers cannot fully access the account, allowing the rightful owner to change the reset password.

Severity and Active Exploitation

The severity of this vulnerability is rated at the maximum level: 10 out of 10. The US Cybersecurity and Infrastructure Security Agency (CISA) has identified “evidence of active exploitation” and added the vulnerability to its list of known exploited flaws. Unfortunately, CISA hasn’t provided specific details about the ongoing attacks.

Supply-Chain Threats and Implications

The potential impact of this flaw is significant. GitLab software often has access to multiple development environments owned by users. If attackers exploit this vulnerability, they could surreptitiously introduce changes, sabotage projects, or even plant backdoors that infect anyone using software built in the compromised environment. This scenario mirrors supply-chain attacks seen in other incidents, such as the SolarWinds breach in 2020.

Supply-chain attacks are powerful because they allow hackers to compromise a single target and subsequently infect thousands of downstream users without requiring any action from those users. In this case, GitLab’s vulnerability could have far-reaching consequences, affecting organizations worldwide.

Scanning and Vulnerable Instances

Security organization Shadowserver conducted internet scans and found over 2,100 IP addresses hosting vulnerable GitLab instances. The highest concentration of these instances was in India, followed by the US, Indonesia, Algeria, and Thailand.

Mitigation and Recommendations

To protect against this vulnerability, GitLab users should promptly update their installations to versions 16.9.6, 16.10.4, or 16.11.1. Additionally, enabling multifactor authentication remains crucial for enhancing account security.

In summary, GitLab’s recent security patch addresses a critical flaw that could have severe consequences if left unaddressed. Organizations and users should take immediate action to safeguard their accounts and prevent potential supply-chain attacks.

You think you have a story worth everyone’s time? SUBMIT A STORY and we will publish it.