Urgent: GitLab Releases Patch for Critical Vulnerabilities – Update ASAP

We Keep you Connected

Urgent: GitLab Releases Patch for Critical Vulnerabilities – Update ASAP

GitLab has released security updates to address two critical vulnerabilities, including one that could be exploited to take over accounts without requiring any user interaction.
Tracked as CVE-2023-7028, the flaw has been awarded the maximum severity of 10.0 on the CVSS scoring system and could facilitate account takeover by sending password reset emails to an unverified email address.
The DevSecOps platform said the vulnerability is the result of a bug in the email verification process, which allowed users to reset their password through a secondary email address.
It affects all self-managed instances of GitLab Community Edition (CE) and Enterprise Edition (EE) using the below versions –
GitLab said it addressed the issue in GitLab versions 16.5.6, 16.6.4, and 16.7.2, in addition to backporting the fix to versions 16.1.6, 16.2.9, 16.3.7, and 16.4.5. The company further noted the bug was introduced in 16.1.0 on May 1, 2023.
“Within these versions, all authentication mechanisms are impacted,” GitLab said. “Additionally, users who have two-factor authentication enabled are vulnerable to password reset but not account takeover as their second authentication factor is required to login.”
Also patched by GitLab as part of the latest update is another critical flaw (CVE-2023-5356, CVSS score: 9.6), which permits a user to abuse Slack/Mattermost integrations to execute slash commands as another user.
To mitigate any potential threats, it’s advised to upgrade the instances to a patched version as soon as possible and enable 2FA, if not already, particularly for users with elevated privileges.
Report: Unveiling the Threat of Malicious Browser Extensions
Download the Report to learn the Risks of Malicious Extensions and How to Mitigate Them.
Firewalls vs. Zero Trust: Minimize Your Attack Surface
Learn latest trends in the attack landscape, attacker strategies, and how to implement Zero Trust Security.
Key findings from a study of 493 companies: what worked, what didn’t. Apply insights to your SaaS strategy in 2024.
Firewalls & VPNs can’t keep up. Discover how Zero Trust minimizes risks. Join our webinar with Zscaler & revolutionize your security strategy.
Sign up for free and start receiving your daily dose of cybersecurity news, insights and tips.

source

GET THE LATEST UPDATES, OFFERS, INFORMATION & MORE