Advisory No: TZCERT/SA/2024/01/15
Date of First Release: 15th January 2024
Source: GitLab
Software Affected: GitLab self-managed instances version 16.1 to 16.1.5,16.2 to 16.2.8,16.3 to 16.3.6,16.4 to 16.4.4,16.5 to 16.5.5,16.6 to 16.6.3 and 16.7 to 16.7.1
Overview:
GitLab has released security updates to address two critical vulnerabilities (CVE-2023-7028 and CVE-2023-5356), whereby one could be exploited to take over accounts without requiring any user interaction.
Description:
The vulnerability (CVE-2023-7028, CVSS score: 10) is caused by a fault in the email verification procedure, which allowed users to reset their passwords using a secondary email address.
Another critical flaw (CVE-2023-5356, CVSS score: 9.6), permits a user to abuse Slack/Mattermost integrations to execute slash commands as another user.
Impact:
Successful exploitation of this vulnerability may allow a remote attacker to take control of the affected system.
Solution:
GitLab has released updates to resolve these vulnerabilities. Users and administrations are encouraged to upgrade to the latest version as soon as possible.
References: