The U.S. Cybersecurity and Infrastructure Safety Company (CISA) has added a crucial flaw impacting GitLab to its Recognized Exploited Vulnerabilities (KEV) catalog, owing to lively exploitation within the wild.
Tracked as CVE-2023-7028 (CVSS rating: 10.0), the utmost severity vulnerability might facilitate account takeover by sending password reset emails to an unverified e-mail deal with.
GitLab, which disclosed particulars of the shortcoming earlier this January, stated it was launched as a part of a code change in model 16.1.0 on Might 1, 2023.
“Inside these variations, all authentication mechanisms are impacted,” the corporate famous on the time. “Moreover, customers who’ve two-factor authentication enabled are susceptible to password reset however not account takeover as their second authentication issue is required to login.”
Profitable exploitation of the difficulty can have severe penalties because it not solely permits an adversary to take management of a GitLab consumer account, but additionally steal delicate data, credentials, and even poison supply code repositories with malicious code, main to provide chain assaults.
“As an illustration, an attacker getting access to the CI/CD pipeline configuration might embed malicious code designed to exfiltrate delicate knowledge, equivalent to Personally Identifiable Info (PII) or authentication tokens, redirecting them to an adversary-controlled server,” cloud safety agency Mitiga stated in a latest report.
“Equally, tampering with repository code may contain inserting malware that compromises system integrity or introduces backdoors for unauthorized entry. Malicious code or abuse of the pipeline might result in knowledge theft, code disruption, unauthorized entry, and provide chain assaults.”
The flaw has been addressed in GitLab variations 16.5.6, 16.6.4, and 16.7.2, with the patches additionally backported to variations 16.1.6, 16.2.9, 16.3.7, and 16.4.5.
CISA has but to supply every other particulars as to how the vulnerability is being exploited in real-world assaults. In mild of lively customers, federal companies are required to use the most recent fixes by Might 22, 2024, to safe their networks.
