January 15, 2024 at 07:07AM
A vulnerability in GitLab’s email verification process (CVE-2023-7028, CVSS score 10) allows attackers to hijack the password reset process by sending reset messages to unverified email addresses. This affects GitLab CE/EE versions 16.1 to 16.7.1, with patches released in versions 16.5.6, 16.6.4, and 16.7.2. Users are advised to update instances and enable 2FA for all accounts. Additionally, other critical-severity bugs have been resolved in the latest releases.
Key takeaways from the meeting notes:
1. A vulnerability in GitLab’s email verification process (CVE-2023-7028) allowed attackers to hijack the password reset process.
2. This vulnerability impacts GitLab Community Edition (CE) and Enterprise Edition (EE) versions 16.1 to 16.7.1 but was addressed with the release of GitLab versions 16.5.6, 16.6.4, and 16.7.2.
3. Users are advised to update their self-managed instances of GitLab to a patched version and enable 2FA for all accounts.
4. Another critical-severity bug (CVE-2023-5356) was resolved in the latest GitLab CE/EE releases, along with other high to low-severity flaws.
5. GitLab has not detected any abuse of the vulnerabilities on platforms managed by GitLab, including GitLab.com and GitLab Dedicated instances.
Please let me know if you need further information or additional details.