GitLab is releasing a patch to fix a vulnerability in its email verification process that bad actors can exploit to reset user passwords and take over accounts.
The flaw, CVE-2023-7028, was introduced in May 2023 in GitLab 16.1.0, in which a change was made that allowed users to reset their password through a secondary email address.
The fix was introduced with the release this month of versions 16.7.2, 16.6.4, 16.5.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).
“The vulnerability is a result of a bug in the email verification process,” GitLab security engineer Greg Myers wrote in an notification. “The bug has been fixed with this patch and … we have implemented a number of preventive security measures to protect customers.”
The vulnerability could allow attackers to take over the password reset process by having password reset messages sent to unverified email addresses. It also could enable threat actors to take over accounts.