The U.S. Cybersecurity and Infrastructure Security Company (CISA) has extra a critical flaw impacting GitLab to its Recognized Exploited Vulnerabilities (KEV) catalog, owing to active exploitation in the wild.
Tracked as CVE-2023-7028 (CVSS score: 10.), the optimum severity vulnerability could facilitate account takeover by sending password reset e-mails to an unverified email handle.
GitLab, which disclosed particulars of the shortcoming previously this January, stated it was launched as element of a code change in model 16.1. on Might 1, 2023.
“Within just these versions, all authentication mechanisms are impacted,” the firm observed at the time. “Moreover, people who have two-variable authentication enabled are vulnerable to password reset but not account takeover as their 2nd authentication aspect is required to login.”
Thriving exploitation of the issue can have major repercussions as it not only allows an adversary to choose manage of a GitLab user account, but also steal delicate information and facts, qualifications, and even poison supply code repositories with destructive code, main to provide chain attacks.
“For occasion, an attacker getting access to the CI/CD pipeline configuration could embed malicious code built to exfiltrate sensitive knowledge, this sort of as Individually Identifiable Info (PII) or authentication tokens, redirecting them to an adversary-controlled server,” cloud security organization Mitiga mentioned in a new report.
“Likewise, tampering with repository code might contain inserting malware that compromises system integrity or introduces backdoors for unauthorized access. Destructive code or abuse of the pipeline could direct to details theft, code disruption, unauthorized obtain, and supply chain assaults.”
The flaw has been tackled in GitLab versions 16.5.6, 16.6.4, and 16.7.2, with the patches also backported to variations 16.1.6, 16.2.9, 16.3.7, and 16.4.5.
CISA has yet to provide any other information as to how the vulnerability is getting exploited in real-globe assaults. In mild of energetic end users, federal agencies are necessary to apply the most recent fixes by Might 22, 2024, to secure their networks.
Found this posting fascinating? Follow us on Twitter and LinkedIn to read much more exclusive content material we put up.
Some parts of this article are sourced from:
thehackernews.com