Explorer

US CISA Marks GitLab Bug As 'Critical' Flaw, Can Takeover Accounts By Sending Password Reset Emails

The issue, if exploited, can result in unauthorised access to GitLab user accounts, theft of sensitive data and credentials, and the injection of malicious code into source code repositories.

US Cybersecurity and Infrastructure Security Agency (CISA) has recently added a 'critical' flaw to its Known Exploited Vulnerabilities (KEV) catalogue. The latest addition to the catalogue impacts GitLab. The flaw has been identified as CVE-2023-7028 (CVSS score: 10.0), which is the maximum severity vulnerability and it could facilitate account takeover by sending password reset emails to an unverified email address. GitLab originally disclosed the details of the shortcoming earlier this January and said that it was introduced as part of a code change in version 16.1.0 on May 1, 2023.

GitLab noted, "Within these versions, all authentication mechanisms are impacted. Additionally, users who have two-factor authentication enabled are vulnerable to password reset but not account takeover as their second authentication factor is required to login."

ALSO READ | Scared Of AI Taking Away Your Job? Here's How You Can Harness The New Tech & Become Irreplaceable

What Effects Can This 'Critical' Flaw Have

The issue, if exploited successfully, can lead to severe consequences. It not only allows an attacker to gain control over a GitLab user account but also to pilfer sensitive data, and credentials, and even contaminate source code repositories with harmful code, potentially triggering supply chain attacks.

Cloud security firm Mitiga recently said, "For instance, an attacker gaining access to the CI/CD pipeline configuration could embed malicious code designed to exfiltrate sensitive data, such as Personally Identifiable Information (PII) or authentication tokens, redirecting them to an adversary-controlled server. Similarly, tampering with repository code might involve inserting malware that compromises system integrity or introduces backdoors for unauthorized access. Malicious code or abuse of the pipeline could lead to data theft, code disruption, unauthorized access, and supply chain attacks."

The vulnerability has been fixed in GitLab versions 16.5.6, 16.6.4, and 16.7.2, and the patches have also been applied to versions 16.1.6, 16.2.9, 16.3.7, and 16.4.5 as a precautionary measure.

CISA has not disclosed further specifics regarding the exploitation of the vulnerability in actual attacks. Given the risk of ongoing exploitation, federal agencies are mandated to implement the latest updates by May 22, 2024, to safeguard their networks.

Top Headlines

OPINION | India's Smartphone Affordability Shift: Why Value Matters More Than Price
OPINION | India's Smartphone Affordability Shift: Why Value Matters More Than Price
Too Much AI Slop On LinkedIn? Users Are Turning To Messy, Human Posts For Better Reach
Too Much AI Slop On LinkedIn? Users Are Turning To Messy, Human Posts
Musk Vs Altman Reloaded: Apple Lawsuit Triggers Fresh AI Billionaire Brawl On X
Musk Vs Altman Reloaded: Apple Lawsuit Triggers Fresh AI Billionaire Brawl
Netflix Considers Radical Live TV Move Amid Growing Engagement Concerns: Report
Netflix Considers Radical Live TV Move Amid Growing Engagement Concerns

Videos

Breaking News: Protests Against Pakistan Government Continue in PoK for 35th Day
Safety Alert: Birthday Banner Falls From Flyover Onto Bike on Thane Highway
Breaking News: Baba Ramdev's Hindu Rashtra Remarks Trigger Political Controversy
Breaking News: Nitesh Rane's Remarks on Aamir Khan's Marriage Spark Political Row
Breaking: Four Teenagers Drown in Yamuna River in Delhi's Alipur

Photo Gallery

25°C
New Delhi
Rain: 100mm
Humidity: 97%
Wind: WNW 47km/h
See Today's Weather
powered by
Accu Weather
Embed widget