Imechapishwa: Jan 15, 2024 15:22
Advisory No: TZCERT/SA/2024/01/15
Source: GitLab
Software Affected: GitLab self-managed instances version 16.1 to 16.1.5,16.2 to 16.2.8,16.3 to 16.3.6,16.4 to 16.4.4,16.5 to 16.5.5,16.6 to 16.6.3 and 16.7 to 16.7.1
GitLab has released security updates to address two critical vulnerabilities (CVE-2023-7028 and CVE-2023-5356), whereby one could be exploited to take over accounts without requiring any user interaction.
The vulnerability (CVE-2023-7028, CVSS score: 10) is caused by a fault in the email verification procedure, which allowed users to reset their passwords using a secondary email address. Another critical flaw (CVE-2023-5356, CVSS score: 9.6), permits a user to abuse Slack/Mattermost integrations to execute slash commands as another user.
Successful exploitation of this vulnerability may allow a remote attacker to take control of the affected system.
GitLab has released updates to resolve these vulnerabilities. Users and administrations are encouraged to upgrade to the latest version as soon as possible.
A digest of Tanzania Computer Emergency Response Team coverage of cyber-security news across the globe.
