What We Do
How We Do
Get Started
Security advisories

Critical GitLab Vulnerabilities

January 15, 2024 | 2 MINS READ

Speak With A Security Expert Now



On January 11th, GitLabs disclosed multiple vulnerabilities, including one which received the maximum criticality rating of CVSS 10. This maximum criticality vulnerability is tracked as CVE-2023-7028; it is an account takeover via password reset vulnerability. This vulnerability allows for a user account’s password reset emails to be delivered to an unverified email address, enabling account takeover. Proof-of-Concept (PoC) exploit code was publicly released on January 13th.

At the time of writing, there is no indication of attacks exploiting these vulnerabilities in the wild. However, due to the availability of exploit code and the high severity of CVE-2023-7028, it is almost certain that exploitation will occur in the immediate future.

What we’re doing about it

What you should do about it

Additional information

As CVE-2023-7028 has a high criticality, allows account takeover, and has functional PoC exploit code, it should be prioritized for immediate remediation. CVE-2023-7028 impacts GitLab Community Edition (CE) and Enterprise Edition (EE) versions 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.3 prior to 16.3.7, 16.4 prior to 16.4.5, 16.5 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2. Within these versions, all authentication mechanisms are impacted. Organizations need to ensure they are running GitLab versions 16.7.2, 16.6.4, 16.5.6.

Users who have Multi-Factor Authentication (MFA) enabled remain vulnerable to a password reset, however, account takeover is not possible as the additional authentication factor is required to login. If an unrecognized password reset email is triggered or if a user is suddenly redirected to login, it is recommended to reset the password.

It should be noted that users without SSO enforcement are vulnerable to account takeover. Additionally, if your configuration permits a username and password alongside SSO options then you are also vulnerable. It is recommended to disable all password authentication options to mitigate the vulnerability for Self-Managed customers that have an external identity provider configured.

At the time of writing, GitLab has not detected any abuse of this vulnerability on platforms managed by GitLab, including GitLab.com and GitLab Dedicated instances. They also released details for self-managed customers on how to review logs to check for possible attempts to exploit this vulnerability.

Other vulnerabilities from the release include:


[1] https://about.gitlab.com/releases/2024/01/11/critical-security-release-gitlab-16-7-2-released/
[2] https://docs.gitlab.com/ee/administration/settings/sign_in_restrictions.html#password-authentication-enabled

View Most Recent Advisories