Explorer

US CISA Marks GitLab Bug As 'Critical' Flaw, Can Takeover Accounts By Sending Password Reset Emails

The issue, if exploited, can result in unauthorised access to GitLab user accounts, theft of sensitive data and credentials, and the injection of malicious code into source code repositories.

US Cybersecurity and Infrastructure Security Agency (CISA) has recently added a 'critical' flaw to its Known Exploited Vulnerabilities (KEV) catalogue. The latest addition to the catalogue impacts GitLab. The flaw has been identified as CVE-2023-7028 (CVSS score: 10.0), which is the maximum severity vulnerability and it could facilitate account takeover by sending password reset emails to an unverified email address. GitLab originally disclosed the details of the shortcoming earlier this January and said that it was introduced as part of a code change in version 16.1.0 on May 1, 2023.

GitLab noted, "Within these versions, all authentication mechanisms are impacted. Additionally, users who have two-factor authentication enabled are vulnerable to password reset but not account takeover as their second authentication factor is required to login."

ALSO READ | Scared Of AI Taking Away Your Job? Here's How You Can Harness The New Tech & Become Irreplaceable

What Effects Can This 'Critical' Flaw Have

The issue, if exploited successfully, can lead to severe consequences. It not only allows an attacker to gain control over a GitLab user account but also to pilfer sensitive data, and credentials, and even contaminate source code repositories with harmful code, potentially triggering supply chain attacks.

Cloud security firm Mitiga recently said, "For instance, an attacker gaining access to the CI/CD pipeline configuration could embed malicious code designed to exfiltrate sensitive data, such as Personally Identifiable Information (PII) or authentication tokens, redirecting them to an adversary-controlled server. Similarly, tampering with repository code might involve inserting malware that compromises system integrity or introduces backdoors for unauthorized access. Malicious code or abuse of the pipeline could lead to data theft, code disruption, unauthorized access, and supply chain attacks."

The vulnerability has been fixed in GitLab versions 16.5.6, 16.6.4, and 16.7.2, and the patches have also been applied to versions 16.1.6, 16.2.9, 16.3.7, and 16.4.5 as a precautionary measure.

CISA has not disclosed further specifics regarding the exploitation of the vulnerability in actual attacks. Given the risk of ongoing exploitation, federal agencies are mandated to implement the latest updates by May 22, 2024, to safeguard their networks.

View More
Advertisement
Advertisement
25°C
New Delhi
Rain: 100mm
Humidity: 97%
Wind: WNW 47km/h
See Today's Weather
powered by
Accu Weather
Advertisement

Top Headlines

UP: 10 Children Dead As Huge Fire Breaks Out In Pediatric Ward Of Jhansi Medical College, Rescue Ops On
UP: 10 Children Dead As Huge Fire Breaks Out In Pediatric Ward Of Jhansi Medical College, Rescue Ops On
PM Modi At 1st Bodoland Mahotsav In Delhi Says ‘Govt Making Steady Efforts For Peace In Northeast’ — Top Quotes
PM Modi At 1st Bodoland Mahotsav In Delhi Says ‘Govt Making Steady Efforts For Peace In Northeast’ — Top Quotes
UP: 2 Groups Clash In Mau After Bike Collision, 2 Police Personnel Injured In Stone-Pelting, Vehicles Damaged
UP: 2 Groups Clash In Mau After Bike Collision, 2 Police Personnel Injured In Stone-Pelting, Vehicles Damaged
SA Vs IND, 4th T20I Live: India Three Wickets Shy Off Massive Victory
SA Vs IND, 4th T20I Live: India Three Wickets Shy Off Massive Victory
Advertisement
ABP Premium

Videos

Rajasthan Administrative Officers' Union Meets CM Bhajanlal Sharma Ahead Of Tonk By-Election ClashUPPSC Protest Sparks Student Uprising in Prayagraj as RSS-BJP Hold Crucial Meeting Ahead of UP By-ElectionsUPPSC Protest Escalates in Prayagraj, Students Demand Single-Shift Exam Schedule | ABP NewsBJPs Furious Over Ghulam Ahmad Mir's Remarks Says, 'Congress Wants to Create a Separate Nation'

Photo Gallery

Embed widget