January 12, 2024 at 02:47PM
GitLab has released security updates to address critical vulnerabilities in its Community and Enterprise Edition, including an authentication flaw (CVE-2023-7028) allowing account hijacking and a vulnerability (CVE-2023-5356) enabling the abuse of Slack/Mattermost integrations. The flaws were addressed in GitLab versions 16.7.2, 16.5.6, and 16.6.4, with backported fixes available. For official updates, visit GitLab’s update page.
Key takeaways from the meeting notes are as follows:
1. GitLab has released security updates for both the Community and Enterprise Edition to address critical vulnerabilities, including account hijacking and supply chain attacks.
2. The most severe issue identified as CVE-2023-7028 can allow account hijacking without user interaction, impacting versions 16.1 to 16.7. The fix has also been backported to versions 16.1.6, 16.2.9, and 16.3.7.
3. Another critical problem, CVE-2023-5356, has a severity score of 9.6 out of 10 and can be exploited to abuse Slack/Mattermost integrations to execute slash commands as another user.
4. Other vulnerabilities fixed in version 16.7.2 include CVE-2023-4812, CVE-2023-6955, and CVE-2023-2030.
5. GitLab has not detected active exploitation of CVE-2023-7028 but shared signs of compromise for defenders.
For instructions and official update resources, the team should check out GitLab’s update page. For GitLab Runner, they should visit the relevant webpage for updates.