January 12, 2024 at 05:43PM
GitLab releases versions 16.7.2, 16.6.3, and 16.5.6 to address critical vulnerabilities. These include an authentication issue allowing unverified email password resets and a vulnerability enabling slash command abuse in Slack/Mattermost. Other vulnerabilities affect code approval, workspace creation, and signed commit metadata. GitLab urges upgrading and enabling two-factor authentication.
Based on the meeting notes, the key takeaways are:
– GitLab is releasing versions 16.7.2, 16.6.3, and 16.5.6 for GitLab Community Edition (CE) and Enterprise Edition (EE) to address critical vulnerabilities.
– The vulnerabilities include an authentication issue (CVE-2023-7028) allowing password resets to unverified email addresses, and incorrect authorization checks (CVE-2023-5356) that could be exploited to impersonate another user to execute slash commands in Slack/Mattermost.
– Other vulnerabilities mentioned are related to bypass CODEOWNERS approval removal (CVE-2023-4812), creating workspaces under different root namespace (CVE-2023-6955), and modification of the metadata of signed commits (CVE-2023-2030).
– GitLab is recommending upgrading and enabling two-factor authentication for all accounts.