The U.S. Cybersecurity and Infrastructure Safety Company (CISA) has added a important flaw impacting GitLab to its Identified Exploited Vulnerabilities (KEV) catalog, owing to energetic exploitation within the wild.
Tracked as CVE-2023-7028 (CVSS rating: 10.0), the utmost severity vulnerability may facilitate account takeover by sending password reset emails to an unverified electronic mail tackle.
GitLab, which disclosed particulars of the shortcoming earlier this January, mentioned it was launched as a part of a code change in model 16.1.0 on Might 1, 2023.
“Within these versions, all authentication mechanisms are impacted,” the corporate famous on the time. “Additionally, users who have two-factor authentication enabled are vulnerable to password reset but not account takeover as their second authentication factor is required to login.”
Profitable exploitation of the difficulty can have critical penalties because it not solely allows an adversary to take management of a GitLab consumer account, but in addition steal delicate data, credentials, and even poison supply code repositories with malicious code, main to produce chain assaults.
“For instance, an attacker gaining access to the CI/CD pipeline configuration could embed malicious code designed to exfiltrate sensitive data, such as Personally Identifiable Information (PII) or authentication tokens, redirecting them to an adversary-controlled server,” cloud safety agency Mitiga mentioned in a current report.
“Similarly, tampering with repository code might involve inserting malware that compromises system integrity or introduces backdoors for unauthorized access. Malicious code or abuse of the pipeline could lead to data theft, code disruption, unauthorized access, and supply chain attacks.”
The flaw has been addressed in GitLab variations 16.5.6, 16.6.4, and 16.7.2, with the patches additionally backported to variations 16.1.6, 16.2.9, 16.3.7, and 16.4.5.
CISA has but to offer another particulars as to how the vulnerability is being exploited in real-world assaults. In mild of energetic customers, federal businesses are required to use the newest fixes by Might 22, 2024, to safe their networks.
