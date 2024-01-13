en English
Security

GitLab Addresses Critical Security Vulnerabilities with New Updates

By: BNN Correspondents
Published: January 13, 2024 at 11:43 am EST
GitLab Addresses Critical Security Vulnerabilities with New Updates

GitLab, the renowned web-based DevOps lifecycle tool, has rolled out updates for its Community Edition (CE) and Enterprise Edition (EE), addressing two critical vulnerabilities. These updates include versions 16.7.2, 16.6.4, and 16.5.6, targeted at bolstering the security framework against potential cyber threats.

Critical Vulnerability: CVE-2023-7028

The first vulnerability, labelled as CVE-2023-7028, has a severity score of 10 out of 10, indicating its critical nature. This flaw affects self-managed instances running versions of GitLab CE/EE from 16.1 to 16.7 prior to the updated versions. Intriguingly, this vulnerability allows cybercriminals to hijack accounts by directing password reset emails to an unverified email address. This flaw was first reported by a vigilant security researcher who goes by the pseudonym ‘Asterion’. The flaw was introduced on May 1, 2023, as a result of a bug in the email verification process. Users who have enabled two-factor authentication (2FA) are susceptible to password resets but are guarded against account takeover, as the second authentication factor is still necessary to log in.

CVE-2023-5356: Command Execution Vulnerability

GitLab has also tackled another critical vulnerability labelled as CVE-2023-5356. This flaw, with a CVSS score of 9.6, allows attackers to execute slash commands as another user through Slack/Mattermost integrations due to lax authorization checks. GitLab has reinforced its commitment to security by backporting fixes to older versions and urging administrators of self-managed instances to update without delay.

Additional Measures and Recommendations

The GitLab team strongly advises users to enable 2FA, especially for administrator accounts, as an added layer of protection. As of now, no abuses of CVE-2023-7028 have been detected on GitLab-managed platforms. However, the company has provided signs of compromise for self-managed instances to aid in recognizing any potential breach. Alongside these major vulnerabilities, GitLab has also rectified three other flaws in its latest update, demonstrating its proactive approach towards maintaining a robust security infrastructure.

Security
BNN Correspondents

Founded by visionary entrepreneur Gurbaksh Chahal, BNN Newsroom has risen to prominence as a powerhouse in the international journalism landscape. With a global news desk that operates in over 200 markets, BNN provides up-to-the-minute breaking news, sophisticated data analysis, and thorough research to keep audiences informed and engaged. Upholding a commitment to integrity and unbiased reporting, BNN proudly operates a conflict-free platform, ensuring that its coverage remains free from external influences and dedicated to the truth.

