A huge collection of 3400+ free website templates JAR theme com WP themes and more at the biggest community-driven free web design site
Home / security-advisories / GitLab Critical Security Release for GitLab Community Edition (CE) and Enterprise Edition (EE)

GitLab Critical Security Release for GitLab Community Edition (CE) and Enterprise Edition (EE)

Advisory No: TZCERT/SA/2024/01/15

Date of First Release: 15th January 2024

Source: GitLab

Software Affected: GitLab self-managed instances version 16.1 to 16.1.5,16.2 to 16.2.8,16.3 to 16.3.6,16.4 to 16.4.4,16.5 to 16.5.5,16.6 to 16.6.3 and 16.7 to 16.7.1

Overview:

GitLab has released security updates to address two critical vulnerabilities (CVE-2023-7028 and CVE-2023-5356), whereby one could be exploited to take over accounts without requiring any user interaction.

Description:

The vulnerability (CVE-2023-7028, CVSS score: 10) is caused by a fault in the email verification procedure, which allowed users to reset their passwords using a secondary email address.

Another critical flaw (CVE-2023-5356, CVSS score: 9.6), permits a user to abuse Slack/Mattermost integrations to execute slash commands as another user.

Impact:

Successful exploitation of this vulnerability may allow a remote attacker to take control of the affected system.

Solution:

GitLab has released updates to resolve these vulnerabilities. Users and administrations are encouraged to upgrade to the latest version as soon as possible.

References:

  1. https://about.gitlab.com/releases/2024/01/11/critical-security-release-gitlab-16-7-2-released/

Check Also

Critical vulnerabilities in WordPress Plugins Hotel Booking Lite and LearnPress (CVE-2024-4413, CVE-2024-4434)

Advisory No: TZCERT/SA/2024/05/10-2 Date of First Release: 10th May 2024 Source: Wordfence Software Affected: Hotel …