GitLab has announced the release of versions 16.7.2, 16.6.4, and 16.5.6 to patch multiple critical security vulnerabilities discovered in previous versions. GitLab strongly recommends that all installations running affected versions be upgraded to one of the latest patched releases immediately.
The most severe of the vulnerabilities is a critical severity flaw that could allow an attacker to take over user accounts by resetting passwords without any user interaction. This affects GitLab Community and Enterprise Editions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.3 prior to 16.3.7, 16.4 prior to 16.4.5, 16.5 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2. It allows an unverified email address to be used to reset a password and take over an account. This is tracked as CVE-2023-7028 and has a CVSS v3.1 base score of 10.0.
Another critical issue allows the abuse of Slack and Mattermost integrations to execute slash commands as another user, enabling privilege escalation. This affects GitLab versions starting from 8.13 before 16.5.6, 16.6 before 16.6.4, and 16.7 before 16.7.2. It carries a CVSS v3.1 base score of 9.6 and is tracked as CVE-2023-5356.
Additionally, a high-severity vulnerability allows bypassing CODEOWNERS approval by adding changes to a previously approved merge request. This impacts versions starting from 15.3 before 16.5.5, 16.6 before 16.6.4, and 16.7 before 16.7.2. It has a CVSS v3.1 base score of 7.6 and is identified as CVE-2023-4812.
GitLab has stated that no evidence of exploitation has been found yet. However, they advise administrators of self-managed instances to review logs for any potential abuse attempts.
All affected versions should be upgraded to 16.7.2, 16.6.4 or 16.5.6 as soon as possible following the recommended upgrade path. Administrators are also advised to enable two-factor authentication wherever possible, especially for privileged user accounts.
The vulnerabilities were responsibly disclosed through GitLab's bug bounty program by external security researchers. GitLab has implemented additional security measures and code reviews to help prevent similar issues in the future.
While the most severe of these flaws could result in account takeover, users with two-factor authentication enabled are protected from full compromise even if targeted. Overall, this security release highlights the importance of keeping GitLab installations up-to-date and enabling multi-factor authentication for security and peace of mind.
Administrators of self-managed GitLab instances should schedule upgrades to the latest patched versions as a priority to ensure vulnerabilities are closed. For additional details, please review the GitLab security advisory.