GitLab Accounts without 2FA Face Risk of Takeover via New Flaw: Patch Immediately

A newly disclosed critical vulnerability plaguing GitLab accounts leaves users at risk of complete account takeover if they haven’t enabled multi-factor authentication (MFA).

The flaw, tracked as CVE-2023-7028, has the maximum severity CVSS score of 10. It allows attackers to reset account passwords through secondary email addresses by exploiting a change introduced in version 16.1.0.

Vulnerable Since May 2023

The vulnerable element was introduced in May 2023, hence the importance of patching it as soon as possible.

In an attack scenario, threat actors could leverage specifically crafted HTTP requests to send a password reset email to a secondary, attacker-controlled email address. After resetting the account password, perpetrators can take over compromised accounts completely.

Password Reset Without User Interaction

To make matters worse, attackers can perform the takeover without user interaction, making 2FA-less accounts sitting ducks for attacks exploiting the account-bypassing vulnerability.

It’s worth mentioning that, although 2FA users aren’t immediately vulnerable, threat actors could still request password resets on their behalf. However, perpetrators wouldn’t be able to carry it out without access to the authenticator.

Multiple Versions Vulnerable

According to the vulnerability’s description page, the issue affects the following versions of GitLab’s Community and Enterprise editions:

• 16.1 prior to 16.1.6
• 16.2 prior to 16.2.9
• 16.3 prior to 16.3.7
• 16.4 prior to 16.4.5
• 16.5 prior to 16.5.6
• 16.6 prior to 16.6.4
• 16.7 prior to 16.7.2

Non-SSO Users Vulnerable

“Users without SSO enforcement are vulnerable,” reads GitLab’s security advisory. “If your configuration allows a username and password to be used in addition to SSO options, then you are impacted. Disabling all password authentication options via Sign-in restrictions settings will mitigate the vulnerability for Self-Managed customers that have an external identity provider configured, as this will disable the ability to perform password reset.”

Although there’s no evidence that the vulnerability has been exploited yet, a new batch of security patches has been rolled out, and admins are urged to apply them immediately.