An issue has been discovered in GitLab CE/EE affecting all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.3 prior to 16.3.7, 16.4 prior to 16.4.5, 16.5 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2 in which user account password reset emails could be delivered to an unverified email address.
An error in the password reset mechanism (CWE-640) causes GitLab to send a message with a password change link to an email address that has not been verified. An attacker can initiate a password reset procedure for any account by specifying an unverified email address controlled by the attacker. After receiving the reset link, the attacker sets a new password and fully takes over the victim's account without requiring any prior authorization.
An attacker can completely take over any GitLab user account, gaining access to repositories, CI/CD pipelines, secrets, and configuration data, which may lead to compromise of the entire software supply chain.
GitLab CE/EE must be immediately updated to version: 16.1.6, 16.2.9, 16.3.7, 16.4.5, 16.5.6, 16.6.4, or 16.7.2 (or newer). It is also recommended to review logs for unauthorized password resets and force re-authentication of all users.
GitLab CE and EE in versions: 16.1 before 16.1.6, 16.2 before 16.2.9, 16.3 before 16.3.7, 16.4 before 16.4.5, 16.5 before 16.5.6, 16.6 before 16.6.4, and 16.7 before 16.7.2
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:NGitLab
APPGitlab16.1.0 – 16.1.6 (bez)16.2.0 – 16.2.9 (bez)16.3.0 – 16.3.7 (bez)16.4.0 – 16.4.5 (bez)16.5.0 – 16.5.6 (bez)16.6.0 – 16.6.4 (bez)16.7.0 – 16.7.2 (bez)
CISA KEV — detailsi
- Vendori
- GitLab ↗
- Producti
- GitLab CE/EE
- Added to KEVi
- May 1, 2024
- Remediation deadline (US Federal)i
- May 22, 2024(overdue)
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
GitLab Community and Enterprise Editions contain an improper access control vulnerability. This allows an attacker to trigger password reset emails to be sent to an unverified email address to ultimately facilitate an account takeover.
Related vulnerabilities
An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properl...
GitLab CE/EE: uruchomienie pipeline jako inny użytkownik (privilege escalation)
GitLab EE: uruchamianie pipeline CI/CD na dowolnych gałęziach bez autoryzacji
GitLab CE/EE — uruchomienie pipeline jako dowolny użytkownik (CWE-290)
Ruby-SAML: pominięcie weryfikacji podpisu odpowiedzi SAML — Auth Bypass