May 2, 2024 at 02:54AM
The U.S. Cybersecurity and Infrastructure Security Agency has added a critical flaw in GitLab to its Known Exploited Vulnerabilities catalog due to active exploitation. Tracked as CVE-2023-7028, the vulnerability could facilitate account takeover and has been addressed in several GitLab versions. Federal agencies are required to apply the latest fixes by May 22, 2024.
Meeting Notes Takeaways:
– CISA has added a critical vulnerability impacting GitLab to its KEV catalog (CVE-2023-7028).
– The vulnerability enables account takeover via password reset emails to an unverified address.
– Versions 16.1.0 introduced the flaw; all authentication mechanisms are affected.
– Users with two-factor authentication are also affected, though the second factor prevents account takeover.
– Successful exploitation enables data and credentials theft and source code repository poisoning.
– Mitiga states that attacks could lead to data exfiltration, system integrity compromise, and unauthorized access.
– The flaw has been addressed in GitLab versions 16.5.6, 16.6.4, and 16.7.2, as well as backported to earlier versions.
– Federal agencies must apply the latest fixes by May 22, 2024, for network security.
Let me know if you need anything else or further details!