cbcvebase.
CVE-2023-7028
published 2024-01-12

CVE-2023-7028: An issue has been discovered in GitLab CE/EE affecting all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.3 prior to 16.3.7, 16.4 prior to…

PriorityP197critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2024-05-22
Exploited in the wild
EPSS
94.95%
99.9th percentile
An issue has been discovered in GitLab CE/EE affecting all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.3 prior to 16.3.7, 16.4 prior to 16.4.5, 16.5 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2 in which user account password reset emails could be delivered to an unverified email address.

Affected

17 ranges
VendorProductVersion rangeFixed in
debiangitlab< gitlab 16.4.5+ds2-1 (sid)gitlab 16.4.5+ds2-1 (sid)
gitlabgitlab
gitlabgitlab>= 16.1 < 16.1.616.1.6
gitlabgitlab>= 16.1.0 < 16.1.616.1.6
gitlabgitlab>= 16.2 < 16.2.916.2.9
gitlabgitlab>= 16.2.0 < 16.2.916.2.9
gitlabgitlab>= 16.3 < 16.3.716.3.7
gitlabgitlab>= 16.3.0 < 16.3.716.3.7
gitlabgitlab>= 16.4 < 16.4.516.4.5
gitlabgitlab>= 16.4.0 < 16.4.516.4.5
gitlabgitlab>= 16.5 < 16.5.616.5.6
gitlabgitlab>= 16.5.0 < 16.5.616.5.6
gitlabgitlab>= 16.6 < 16.6.416.6.4
gitlabgitlab>= 16.6.0 < 16.6.416.6.4
gitlabgitlab>= 16.7 < 16.7.216.7.2
gitlabgitlab>= 16.7.0 < 16.7.216.7.2
gitlabgitlab_ce

Detection & IOCsextracted from sources · hover to see the quote

path/users/password
  • Check production_json.log for password reset requests sent to multiple (attacker-controlled) email addresses in a JSON array
  • Check audit_json.log for PasswordsController#create caller entries where target_details is a JSON array with multiple email addresses
  • Rotate all credentials, API tokens, and certificates on any instance found to be compromised, and check for modifications in developer environments including source code and potentially tampered files
  • ·2FA protects against full account takeover: password reset is possible but the second factor is still required for login, so accounts with 2FA enabled cannot be fully hijacked via this vulnerability alone

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vulncheck10.0CRITICAL
cisa9.8CRITICAL
vendor_debian10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.