An issue has been discovered in GitLab CE/EE affecting all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.3 prior to 16.3.7, 16.4 prior to 16.4.5, 16.5 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2 in which user account password reset emails could be delivered to an unverified email address.

Poc tested on Kali 2023.3

• Install GitLab 16.7.0-ee in docker

#sudo docker pull gitlab/gitlab-ee:16.7.0-ee.0

#sudo docker run --detach --publish 8443:443 --publish 2222:22 --publish 8080:80 --name gitlab-container --restart always --volume $GITLAB_HOME/config:/etc/gitlab --volume $GITLAB_HOME/logs:/var/log/gitlab --volume $GITLAB_HOME/data:/var/opt/gitlab --shm-size 256m gitlab/gitlab-ee:16.7.0-ee.0

be patient it take some times to start!

• setup smtp in the gitlab container https://docs.gitlab.com/omnibus/settings/smtp.html

• Log in gitlab

#sudo docker exec -it gitlab-container grep "Password:" /etc/gitlab/initial_root_password Login/pass: root/result of grep above

http://my.docker.ip:8080/

• create an account by going to "Admin Area" and Users

next create a user with a valid email account and validate your account

• run the poc

  ./cve-2023-7028.sh https://gitlab.site.com useremail@gitlab.site.com otheremail@otherdomain.com

• result an email is send to the original email adress AND the other email adress

  

Workaround/Fix: https://about.gitlab.com/releases/2024/01/11/critical-security-release-gitlab-16-7-2-released/

more about me ;) https://www.linkedin.com/in/duy-huan-bui/

⚠️ Disclaimer: IMPORTANT: This script is provided for educational, ethical testing, and lawful use ONLY. Do not use it on any system or network without explicit permission. Unauthorized access to computer systems and networks is illegal, and users caught performing unauthorized activities are subject to legal actions. The author is NOT responsible for any damage caused by the misuse of this script.