-
Notifications
You must be signed in to change notification settings - Fork 48
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #704 from DIVD-NL/2024-00002-gitlab
start divd-2024-00002
- Loading branch information
Showing
1 changed file
with
64 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,64 @@ | ||
| --- | ||
| layout: case | ||
| title: "Account takeover vulnerability in Gitlab CE/EE" | ||
| excerpt: "Gitlab CE/EE critical account takeover vulnerability" | ||
| author: Ralph Horn | ||
| lead: Stan Plasmeijer | ||
| researchers: | ||
| - Stan Plasmeijer | ||
| - Ralph Horn | ||
|
|
||
| # You can use free text here as well. E.g. to indicate that some vulnerabilities don't have CVEs assigned (yet). | ||
| cves: | ||
| - CVE-2023-7028 | ||
| product: | ||
| - Gitlab Enterprise Edition | ||
| - Gitlab Community Edition | ||
| versions: | ||
| - 16.1 prior to 16.1.5 | ||
| - 16.2 prior to 16.2.8 | ||
| - 16.3 prior to 16.3.6 | ||
| - 16.4 prior to 16.4.4 | ||
| - 16.5 prior to 16.5.6 | ||
| - 16.6 prior to 16.6.4 | ||
| - 16.7 prior to 16.7.2 | ||
| recommendation: "Patch your Gitlab instance to the non vulnerable version" | ||
| patch_status: Released | ||
|
|
||
| status : open | ||
| start: 2024-01-12 | ||
| end: | ||
| timeline: | ||
| - start: 2024-01-12 | ||
| end: | ||
| event: "DIVD receives signals about a vulnerability in Gitlab EE/CE and starts fingerprinting" | ||
| - start: 2024-01-13 | ||
| end: | ||
| event: “DIVD starts scanning for vulnerable instances." | ||
| - start: 2024-01-13 | ||
| end: | ||
| event: “Case opened, first version of this casefile." | ||
| #ips: | ||
| # ips is used for statistics after the case is closed. If it is not applicable, you can set IPs to n/a (e.g. stolen credentials) | ||
| # This field becomes mandatory when the case status is set to 'Closed' | ||
| --- | ||
| ## Summary | ||
|
|
||
| An account takeover vulnerability via password reset without any user interactions was discovered in Gitlab CE/EE. This vulnerability is tracked as CVE-2023-7028 and can allow an attacker to take control over administrator accounts. Gitlab has released a patch to remediate the vulnerability. This vulnerability is currently exploited in the wild. | ||
|
|
||
|
|
||
| ## What you can do | ||
| Given that there is active exploitation, it is crucial to patch the system as soon as possible. Gitlab recommends patching the system and enabling Two-Factor Authentication (2FA) for all GitLab accounts. | ||
|
|
||
| ## What we are doing | ||
| DIVD is currently working to identify vulnerable instances and notify the owners of these systems. We do this by scanning for exposed Gitlab instances, and checking the version number to determine whether the vulnerability is present. Owners of vulnerable instances receive a notification with the host information and mitigation steps. | ||
|
|
||
| {% comment %} Leave this here, so we see a timeline{% endcomment %} | ||
| {% include timeline.html %} | ||
|
|
||
|
|
||
| ## More information | ||
| * [Gitlab Publication](https://about.gitlab.com/releases/2024/01/11/critical-security-release-gitlab-16-7-2-released/) | ||
| * [BleepingComputer Blogpost](https://www.bleepingcomputer.com/news/security/gitlab-warns-of-critical-zero-click-account-hijacking-vulnerability/) | ||
| * {% cve CVE-2023-7028 %} | ||
|
|