GitLab Warns of Critical Zero-click Account Hijacking Vulnerability

"GitLab has released security updates for both the Community and Enterprise Edition to address two critical vulnerabilities, one of them allowing account hijacking with no user interaction," reported Bleeping Computer.

GitLab Warns of Critical Zero-click Account Hijacking Vulnerability
  • "The vendor strongly recommends updating as soon as possible all vulnerable versions of the DevSecOps platform (manual update required for self-hosted installations) and warns that if there is "no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.”
  • "The most critical security issue GitLab patched has the maximum severity score (10 out of 10) and is being tracked as CVE-2023-7028. Successful exploitation does not require any interaction."
"It is an authentication problem that permits password reset requests to be sent to arbitrary, unverified email addresses, allowing account takeover. If two-factor authentication (2FA) is active, it is possible to reset the password but the second authentication factor is still needed for successful login."
  • "The issue was discovered and reported to GitLab by security researcher ‘Asterion’ via the HackerOne bug bounty platform and was introduced on May 1, 2023, with version 16.1.0."

Bleeping Computer Article / Archive