GitLab CVE-2023-7028

GitLab CVE-2023-7028 The vulnerability was caused by a bug in how GitLab handled email verification during password reset. An attacker could provide two email addresses during a password reset request, and the reset code would be sent to both addresses. This allowed the attacker to reset the password of any user, even if they didn't know the user's current password. Affected Versions All instances of GitLab CE/EE using the following versions were vulnerable: 16.1 to 16.1.5 16.2 to 16.2.8 16.3 to 16.3.6 16.4 to 16.4.4 16.5 to 16.5.5 16.6 to 16.6.3 16.7 to 16.7.1

Exploit: https://lnkd.in/erWrJjHH https://lnkd.in/eJaC_EK8 Enable GitLab security alerts that would allow early awareness of patches. https://lnkd.in/eUqyZT3z

Upgrade GitLab to a patched version. Enable two-factor authentication (2FA) for all GitLab accounts, especially administrator accounts. Follow secure coding practices, including proper input validation and email address verification.