GitLab has a critical vulnerability that affects all authentication mechanisms. Without two-factor authentication, users are at significant risk. The vulnerability is currently fixed, and users are recommended to update to the latest version.
GitLab Critical Vulnerability Exploited
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently warned about a critical vulnerability discovered in GitLab’s software. This flaw, classified as CVE-2023-7028, is currently being exploited by malicious actors and has a CVSS score of 10.0, the highest possible rating for vulnerabilities.
GitLab disclosed the vulnerability earlier this year. They noted that it was inadvertently introduced during a code update in May 2023. The issue affects all authentication mechanisms in versions 16.1.0 onwards. It poses a significant risk to users, especially those without two-factor authentication. Nevertheless, despite the seriousness of the situation, CISA did not provide details about specific exploitation cases.
More About Vulnerability
Successful exploitation of CVE-2023-7028 allows attackers to send password reset email to unverified email addresses, enabling account access for third parties. Successful attacks allow TAs to take control of GitLab accounts. This can lead to pilfering sensitive data, compromising credentials, and injecting malicious code into source code repositories. As a result, this could have a cascading effect, leading to widespread supply chain attacks.
Cloud security experts from Mitiga have highlighted the potential for attackers to manipulate CI/CD pipeline configurations, inserting code designed to siphon off sensitive data like personally identifiable information or authentication tokens. Additionally, tampering with repository code could introduce system-compromising malware or unauthorized access backdoors.
Mitigation Efforts and Federal Response
GitLab has addressed the vulnerability in several versions of its software, with patches available for versions 16.5.6, 16.6.4, and 16.7.2 and backported fixes for earlier affected versions. Despite all this, CISA is yet to disclose specific details on how the vulnerability is actively exploited.
In response to the ongoing threat, CISA has mandated federal agencies to update their GitLab installations by May 22, 2024. This directive underscores the critical nature of the vulnerability and the need for immediate action to safeguard networks against potential breaches.