GitLab Releases Updates to Address Critical Vulnerabilities

In a newly released update, GitLab reports that it is releasing versions 16.7.2, 16.6.3, and 16.5.6 for GitLab Community Edition (CE) as well as Enterprise Edition (EE) in order to address a series of critical vulnerabilities.

Two critical vulnerabilities, alongside one each for high, medium, and low, are listed as part of the fixes that the vendor is urgently recommending as soon as possible. 

The first critical vulnerability — tracked as CVE-2023-7028 — is an authentication issue that allows password resets to be sent to unverified email addresses and has a maximum severity score of 10. Threat actors don't need interaction to successfully exploit this vulnerability, though GitLab noted that it has not detected any active exploitation.

The versions affected are 16.1 prior to 16.1.5; 16.2 prior to 16.2.8; 16.3 prior to 16.3.6; 16.4 prior to 16.4.4; 16.5 prior to 16.5.6; 16.6 prior to 16.6.4; and 16.7 prior to 16.7.2.

The second critical vulnerability — tracked as CVE-2023-5356 — can be used to impersonate another user to execute slash commands in order to abuse Slack/Mattermost. There are incorrect authorization checks in all versions starting from 8.13 before 16.5.6, all versions from 16.6 before 16.6.4, and all versions from 16.7 before 16.7.2.

The three other vulnerabilities mentioned in the report are related to bypass CODEOWNERS approval removal (CVE-2023-4812), workspaces created under different root namespace (CVE-2023-6955), and modification of the metadata of signed commits (CVE-2023-2030). 

GitLab recommends upgrading and enabling two-factor authentication for all accounts.