US Cybersecurity and Infrastructure Security Agency (CISA) has recently added a 'critical' flaw to its Known Exploited Vulnerabilities (KEV) catalogue. The latest addition to the catalogue impacts GitLab. The flaw has been identified as CVE-2023-7028 (CVSS score: 10.0), which is the maximum severity vulnerability and it could facilitate account takeover by sending password reset emails to an unverified email address. GitLab originally disclosed the details of the shortcoming earlier this January and said that it was introduced as part of a code change in version 16.1.0 on May 1, 2023.


GitLab noted, "Within these versions, all authentication mechanisms are impacted. Additionally, users who have two-factor authentication enabled are vulnerable to password reset but not account takeover as their second authentication factor is required to login."


ALSO READ | Scared Of AI Taking Away Your Job? Here's How You Can Harness The New Tech & Become Irreplaceable


What Effects Can This 'Critical' Flaw Have


The issue, if exploited successfully, can lead to severe consequences. It not only allows an attacker to gain control over a GitLab user account but also to pilfer sensitive data, and credentials, and even contaminate source code repositories with harmful code, potentially triggering supply chain attacks.


Cloud security firm Mitiga recently said, "For instance, an attacker gaining access to the CI/CD pipeline configuration could embed malicious code designed to exfiltrate sensitive data, such as Personally Identifiable Information (PII) or authentication tokens, redirecting them to an adversary-controlled server. Similarly, tampering with repository code might involve inserting malware that compromises system integrity or introduces backdoors for unauthorized access. Malicious code or abuse of the pipeline could lead to data theft, code disruption, unauthorized access, and supply chain attacks."


The vulnerability has been fixed in GitLab versions 16.5.6, 16.6.4, and 16.7.2, and the patches have also been applied to versions 16.1.6, 16.2.9, 16.3.7, and 16.4.5 as a precautionary measure.


CISA has not disclosed further specifics regarding the exploitation of the vulnerability in actual attacks. Given the risk of ongoing exploitation, federal agencies are mandated to implement the latest updates by May 22, 2024, to safeguard their networks.