May 2, 2024 at 10:25AM
CISA is mandating federal agencies to patch a critical vulnerability in GitLab to prevent active exploitation by attackers. The vulnerability, CVE-2023-7028, allows unauthorized account takeovers and poses a risk of software supply chain attacks. GitLab has released fixed versions, and those with two-factor authentication are safe. Currently, around 2,149 GitLab instances remain vulnerable.
From the meeting notes, here are the key takeaways:
1. The US Cybersecurity and Infrastructure Security Agency (CISA) has mandated that all federal agencies must patch a critical vulnerability in GitLab’s Community and Enterprise editions, which is actively exploited.
2. When a vulnerability is added to CISA’s Known Exploited Vulnerabilities (KEV) list, federal civilian executive branch agencies typically have a maximum of 21 days to address the issue.
3. The vulnerability, identified as CVE-2023-7028, is an improper access control flaw that enables attackers to perform unauthorized account takeovers. It offers a zero-click route to a full account takeover and poses a risk of software supply chain attacks.
4. GitLab disclosed the vulnerability in January and assigned it a maximum 10 severity rating, while the National Vulnerability Database (NVD) gave it a 7.5 score.
5. GitLab released patches for the vulnerable versions (16.1 to 16.7) and also backported the fixes for some earlier versions. Administrators who enabled two-factor authentication (2FA) in GitLab are safe from this vulnerability.
6. The number of publicly exposed vulnerable GitLab instances has decreased from 4,652 in January to 2,149 currently, with the largest concentration in Europe and Asia.
7. GitLab fixed the vulnerability in versions 16.5.6, 16.6.4, and 16.7.2, and also backported the patches for versions 16.1.6, 16.2.9, 16.3.7, and 16.4.5.
If you need further assistance or more detailed information, please let me know.