The US Cybersecurity and Infrastructure Security Agency (CISA) has labelled a critical vulnerability affecting the popular Git-based repository manager GitLab as a Known Exploited Vulnerability (KEV). The move comes in response to active exploitation attempts detected in the wild, underscoring the urgency for organisations to promptly apply security updates.
Tracked as CVE-2023-7028, the severe flaw (CVSS score: 10.0) could enable adversaries to take over user accounts by sending password reset emails to unverified email addresses. CISA’s KEV catalogue lists publicly known cybersecurity vulnerabilities that carry a significant risk to federal agencies and are actively exploited by threat actors.
GitLab initially disclosed the flaw in January 2023. The vulnerability, introduced as part of a code change in version 16.1.0 released on May 1, 2023, impacts “all authentication mechanisms” across affected versions.
“Additionally, users who have two-factor authentication enabled are vulnerable to password reset but not account takeover as their second authentication factor is required to login,” GitLab stated in its advisory.
The consequences of successful exploitation could be severe, according to security researchers.
Cloud security firm Mitiga warned that an attacker gaining control of a GitLab user account could potentially steal sensitive information, credentials, and even inject malicious code into source code repositories, paving the way for supply chain attacks.
“For the attackers and internal bad actors who prey on it, GitLab represents something else: a rich source of organisational value filled with intellectual property. So, understanding the risks for potential attacks and misuse is important for GitLab users,” explained Mitiga.
“An attacker gaining access to the CI/CD pipeline configuration could embed malicious code designed to exfiltrate sensitive data, such as Personally Identifiable Information (PII) or authentication tokens, redirecting them to an adversary-controlled server.
“Similarly, tampering with repository code might involve inserting malware that compromises system integrity or introduces backdoors for unauthorised access. Malicious code or abuse of the pipeline could lead to data theft, code disruption, unauthorised access, and supply chain attacks.”
GitLab has since released patches to address the vulnerability in versions 16.5.6, 16.6.4, and 16.7.2, with backports available for versions 16.1.6, 16.2.9, 16.3.7, and 16.4.5.
CISA’s decision to add CVE-2023-7028 to the KEV catalogue underscores the severity of the flaw and the potential risks it poses to federal agencies and critical infrastructure. As per the agency’s guidelines, federal civilian agencies are required to apply the necessary updates by 22 May 2024 to secure their networks against potential exploitation attempts.
While CISA has not provided specific details on how the vulnerability is being actively exploited, the agency’s directive highlights the importance of timely patching—especially in the face of increasingly sophisticated and persistent threats targeting software supply chains.
(Photo by Leandro Mazzuquini)
