Critical Zero-click Vulnerability in Gitlab
Last week, researchers discovered a critical zero-click vulnerability, identified as CVE-2023-7028 with a CVSS 10.0 rating, in over 5,300 instances of Gitlab that are accessible from the Internet.
This vulnerability allows attackers to take over accounts without any user interaction. The hackers exploit email addresses they control to send password reset emails, enabling them to change the password and gain control of the account.
The vulnerability does not bypass two-factor authentication (2FA), but for accounts without this additional security measure, it poses a significant risk.
The following releases of Gitlab Community and Enterprise Edition are affected:
- 16.1 to version 16.1.5
- 16.2 to version 16.2.8
- 16.3 to version 16.3.6
- 16.4 to version 16.4.4
- 16.5 to version 16.5.6
- 16.6 to version 16.6.4
- 16.7 to version 16.7.2
The necessary patches were issued on January 11. However, two weeks later, the Shadowserver threats monitoring service reports that there are still 5,379 vulnerable copies of Gitlab accessible from the Internet.
Considering Gitlab’s role as a platform for software development and project planning, along with the nature of the vulnerabilities, these servers are at risk of supply chain attacks, code exposure, API leaks, and other malicious activities.
According to Shadowserver, the highest number of vulnerable servers are located in the United States (964), followed by Germany (730), Russia (721), China (503), France (298), UK (122), India (117), and Canada (99).