Thousands of GitLab Instances Unpatched Against Critical Password Reset Bug


Two weeks ago, GitLab released patches to address a critical password reset vulnerability. Tracked as CVE-2023-7028, the bug can be exploited by actors to send password reset messages to unverified email addresses under their control. If the target organization does not have two-factor authentication, an actor in this case could initiate a potential account takeover by resetting the password.

Patches for the bug were included in GitLab Community Edition (CE) and Enterprise Edition (EE) versions 16.5.6, 16.6.4, and 16.7.2. Despite this, dozens of servers remain unpatched against CVE-2023-7028.

Security Officer Comments:
According to Shadowserver Foundation, there are more than 5,000 servers vulnerable to the critical bug. The majority of these servers reside in the United States, followed by Russia and China. Although it’s unclear if there have been attacks in the wild leveraging this flaw, the number of unpatched servers provides ample opportunity for actors to take control of GitLab administrator accounts without the need for user interaction.

Suggested Corrections:
In general, administrators should ensure that they are running the latest version and enable multi-factor authentication as this will prevent account takeovers in the event that an actor tries to exploit the flaw. GitLab has also cautioned self-managed customers to review their logs for signs of exploitation and rotate all credentials if intrusions are detected.