Skip to main content

Public advisory of scammers impersonating CSA and the SPF

Stay vigilant. Read the public advisory

Cyber Security Agency of Singapore
  1. Home
  2. Alerts & Advisories
  3. Alerts
  4. Critical Vulnerabilities in GitLab Products
Alerts

Critical Vulnerabilities in GitLab Products

14 January 2024

GitLab has released security updates addressing critical vulnerabilities (CVE-2023-7028 and CVE-2023-5356) in their Community Edition (CE) and Enterprise Edition (EE). CVE-2023-7028 has a Common Vulnerability Scoring System (CVSSv3) score of 10 out of 10. 

The critical vulnerabilities are:

  • CVE-2023-7028: Successful exploitation of this vulnerability could allow attackers to have password reset requests to be sent to arbitrary and unverified email addresses, allowing account takeover, particularly if multi-factor authentication was not enabled

  • CVE-2023-5356: Successful exploitation could allow an attacker to abuse Slack/Mattermost integrations and execute slash commands as another user

The critical vulnerabilities affect the following product versions:

  • CVE-2023-7028: All versions of GitLab CE and EE from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.3 prior to 16.3.7, 16.4 prior to 16.4.5, 16.5 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2

  • CVE-2023-5356: All versions of GitLab CE and EE from 8.13 prior to 16.5.6, from 16.6 prior to 16.6.4, and from 16.7 prior to 16.7.2

Users and administrators of affected product versions are advised to upgrade to the latest versions immediately.

More information is available here:
https://about.gitlab.com/releases/2024/01/11/critical-security-release-gitlab-16-7-2-released/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-7028
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5356