This alert may not be shared outside your organization, Do Not Repost or send, place on other websites, List servers, or send to others via email, including other associations or parties.  Members and Law enforcement use only. Contact us for any permissions.  To do otherwise will result in the loss of membership.

Complete Story
 

01/16/2024

GitLab Fixes Password Reset Bug That Allows Account Takeover

Security Boulevard

GitLab is releasing a patch to fix a vulnerability in its email verification process that bad actors can exploit to reset user passwords and take over accounts.

The flaw, CVE-2023-7028, was introduced in May 2023 in GitLab 16.1.0, in which a change was made that allowed users to reset their password through a secondary email address.

The fix was introduced with the release this month of versions 16.7.2, 16.6.4, 16.5.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).

“The vulnerability is a result of a bug in the email verification process,” GitLab security engineer Greg Myers wrote in an notification. “The bug has been fixed with this patch and … we have implemented a number of preventive security measures to protect customers.”

Password Reset Process at Risk

The vulnerability could allow attackers to take over the password reset process by having password reset messages sent to unverified email addresses. It also could enable threat actors to take over accounts.

Read more...

Printer-Friendly Version


Resources

Alerts

The FRPA alert system distinguishes us from other groups by gathering and providing information to law enforcement, retailers AND financial institutions.

more information
Resources

Resources

Your electronic library to help in fighting financial fraud for all of our partners.

more information