GitLab Releases Updates to Address Critical Vulnerabilities

Two vulnerabilities are critical, and three others are determined to be of high, medium, and low severity.

Dark Reading Staff, Dark Reading

January 12, 2024

1 Min Read
GitLab logo
Source: GmbH & Co. KG via Alamy Stock Photo

In a newly released update, GitLab reports that it is releasing versions 16.7.2, 16.6.3, and 16.5.6 for GitLab Community Edition (CE) as well as Enterprise Edition (EE) in order to address a series of critical vulnerabilities.

Two critical vulnerabilities, alongside one each for high, medium, and low, are listed as part of the fixes that the vendor is urgently recommending as soon as possible. 

The first critical vulnerability — tracked as CVE-2023-7028 — is an authentication issue that allows password resets to be sent to unverified email addresses and has a maximum severity score of 10. Threat actors don't need interaction to successfully exploit this vulnerability, though GitLab noted that it has not detected any active exploitation.

The versions affected are 16.1 prior to 16.1.5; 16.2 prior to 16.2.8; 16.3 prior to 16.3.6; 16.4 prior to 16.4.4; 16.5 prior to 16.5.6; 16.6 prior to 16.6.4; and 16.7 prior to 16.7.2.

The second critical vulnerability — tracked as CVE-2023-5356 — can be used to impersonate another user to execute slash commands in order to abuse Slack/Mattermost. There are incorrect authorization checks in all versions starting from 8.13 before 16.5.6, all versions from 16.6 before 16.6.4, and all versions from 16.7 before 16.7.2.

The three other vulnerabilities mentioned in the report are related to bypass CODEOWNERS approval removal (CVE-2023-4812), workspaces created under different root namespace (CVE-2023-6955), and modification of the metadata of signed commits (CVE-2023-2030). 

GitLab recommends upgrading and enabling two-factor authentication for all accounts.  

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights