CVE-2023-7028 is a vulnerability in GitLab
Published on January 12, 2024
An issue has been discovered in GitLab CE/EE affecting all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.3 prior to 16.3.7, 16.4 prior to 16.4.5, 16.5 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2 in which user account password reset emails could be delivered to an unverified email address.
Known Exploited Vulnerability
This GitLab Community and Enterprise Editions Improper Access Control Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. GitLab Community and Enterprise Editions contain an improper access control vulnerability. This allows an attacker to trigger password reset emails to be sent to an unverified email address to ultimately facilitate an account takeover.
The following remediation steps are recommended / required by May 22, 2024: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Vulnerability Analysis
CVE-2023-7028 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. It has the highest possible exploitability rating (3.9). The potential impact of an exploit of this vulnerability is considered to be critical as this vulnerability has a high impact to the confidentiality, integrity and availability of this component.
Weak Password Recovery Mechanism for Forgotten Password
The software contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.
Products Associated with CVE-2023-7028
You can be notified by stack.watch whenever vulnerabilities like CVE-2023-7028 are published in these products:
What versions of GitLab are vulnerable to CVE-2023-7028?
- GitLab Version 16.6.0 Fixed in Version 16.6.4
- GitLab Version 16.6.0 Fixed in Version 16.6.4
- GitLab Version 16.4.0 Fixed in Version 16.4.5
- GitLab Version 16.4.0 Fixed in Version 16.4.5
- GitLab Version 16.1.0 Fixed in Version 16.1.6
- GitLab Version 16.1.0 Fixed in Version 16.1.6
- GitLab Version 16.2.0 Fixed in Version 16.2.9
- GitLab Version 16.2.0 Fixed in Version 16.2.9
- GitLab Version 16.3.0 Fixed in Version 16.3.7
- GitLab Version 16.3.0 Fixed in Version 16.3.7
- GitLab Version 16.7.0 Fixed in Version 16.7.2
- GitLab Version 16.7.0 Fixed in Version 16.7.2
- GitLab Version 16.5.0 Fixed in Version 16.5.6
- GitLab Version 16.5.0 Fixed in Version 16.5.6