Corrective updates to the platform for organizing collaborative development have been published - GitLab 16.7.2, 16.6.4 and 16.5.6, which eliminate two critical vulnerabilities. The first vulnerability (CVE-2023-7028), which is assigned the maximum severity level (10 out of 10), allows you to seize someone else’s account through manipulation of the forgotten password recovery form. The vulnerability is caused by the possibility of sending an email with a password reset code to unverified email addresses. The problem has been appearing since the release of GitLab 16.1.0, which introduced the ability to send a password recovery code to an unverified backup email address.
To check the facts of compromise of systems, it is proposed to evaluate in the gitlab-rails/production_json.log log the presence of HTTP requests to the /users/password handler indicating an array of several emails in the “params.value.email” parameter. It is also suggested to check for entries in the gitlab-rails/audit_json.log log with the value PasswordsController#create in meta.caller.id and indicating an array of several addresses in the target_details block. The attack cannot be completed if the user enables two-factor authentication.
The second vulnerability, CVE-2023-5356, is present in the code for integration with the Slack and Mattermost services, and allows you to execute /-commands under another user due to the lack of proper authorization check. The issue is assigned a severity level of 9.6 out of 10. The new versions also eliminate a less dangerous (7.6 out of 10) vulnerability (CVE-2023-4812), which allows you to bypass CODEOWNERS approval by adding changes to a previously approved merge request.
Detailed information about the identified vulnerabilities is planned to be disclosed 30 days after the publication of the fix. The vulnerabilities were submitted to GitLab as part of HackerOne's vulnerability bounty program.
To check the facts of compromise of systems, it is proposed to evaluate in the gitlab-rails/production_json.log log the presence of HTTP requests to the /users/password handler indicating an array of several emails in the “params.value.email” parameter. It is also suggested to check for entries in the gitlab-rails/audit_json.log log with the value PasswordsController#create in meta.caller.id and indicating an array of several addresses in the target_details block. The attack cannot be completed if the user enables two-factor authentication.
The second vulnerability, CVE-2023-5356, is present in the code for integration with the Slack and Mattermost services, and allows you to execute /-commands under another user due to the lack of proper authorization check. The issue is assigned a severity level of 9.6 out of 10. The new versions also eliminate a less dangerous (7.6 out of 10) vulnerability (CVE-2023-4812), which allows you to bypass CODEOWNERS approval by adding changes to a previously approved merge request.
Detailed information about the identified vulnerabilities is planned to be disclosed 30 days after the publication of the fix. The vulnerabilities were submitted to GitLab as part of HackerOne's vulnerability bounty program.
