{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2024-007.pdf"
    },
    "title": "Critical Vulnerabilities in GitLab",
    "serial_number": "2024-007",
    "publish_date": "12-01-2024 13:50:29",
    "description": "On January 11, 2024, GitLab released a security advisory addressing several vulnerabilities, including critical ones that, if exploited, could lead to account takeover, or slack command execution.<br>\nIt is recommended upgrading as soon as possible.<br>\n",
    "url_title": "2024-007",
    "content_markdown": "---\ntitle: 'Critical Vulnerabilities in GitLab'\nnumber: '2024-007'\nversion: '1.0'\noriginal_date: 'January 11, 2024'\ndate: 'January 12, 2024'\n---\n\n_History:_\n\n* _12/01/2024 --- v1.0 -- Initial publication_\n\n# Summary\n\nOn January 11, 2024, GitLab released a security advisory addressing several vulnerabilities, including critical ones that, if exploited, could lead to account takeover, or slack command execution.\n\nIt is recommended upgrading as soon as possible.\n\n# Technical Details\n\n- The vulnerability `CVE-2023-7028`, with a CVSS score of 10, allows user account password reset emails to be sent to unverified email addresses, leading to potential account takeovers.\n- The vulnerability `CVE-2023-5356`, with a CVSS score of 9.6, allows a user to abuse Slack and Mattermost integrations to execute slash commands as another user.\n- The vulnerability `CVE-2023-4812`, with a CVSS score of 7.6, would allow a user to bypass the required `CODEOWNERS` approval by adding changes to a previously approved merge request.\n\n# Affected Products\n\n- The vulnerability `CVE-2023-7028` affects GitLab Community Edition (CE) and Enterprise Edition (EE) versions:\n    - 16.1 prior to 16.1.6;\n    - 16.2 prior to 16.2.9;\n    - 16.3 prior to 16.3.7;\n    - 16.4 prior to 16.4.5;\n    - 16.5 prior to 16.5.6;\n    - 16.6 prior to 16.6.4;\n    - 16.7 prior to 16.7.2.\n\n_Within these versions, all authentication mechanisms are impacted. Additionally, users who have two-factor authentication enabled are vulnerable to password reset but not account takeover as their second authentication factor is required to login._\n\n- The vulnerability `CVE-2023-5356` affects GitLab Community Edition (CE) and Enterprise Edition (EE) versions:\n    - from 8.13 prior to 16.5.6;\n    - from 16.6 prior to 16.6.4;\n    - from 16.7 prior to 16.7.2.\n\n- The vulnerability `CVE-2023-4812` affects GitLab Community Edition (CE) and Enterprise Edition (EE) versions:\n    - from 15.3 prior to 16.5.5;\n    - from 16.6 prior to 16.6.4;\n    - from 16.7 prior to 16.7.2.\n\n# Recommendations\n\nIt is strongly recommended to upgrade all GitLab installations to one of the new versions immediately. The release also emphasises the importance of enabling Two-Factor Authentication (2FA) for additional security.\n\n## Detection \n\nAt the moment, the editor did not detect any abuse of the vulnerability `CVE-2023-7028` on platforms managed by GitLab, including `GitLab.com` and GitLab Dedicated instances. \nNevertheless, regarding the self-managed instances, customers can review their logs to check for possible attempts to exploit this vulnerability:\n\n- Check _\"gitlab-rails/production_json.log\"_ for HTTP requests to the `/users/password` path with `params.value.email` consisting of a JSON array with multiple email addresses.\n- Check _\"gitlab-rails/audit_json.log\"_ for entries with `meta.caller.id` of `PasswordsController#create` and `target_details` consisting of a JSON array with multiple email addresses.\n\n# References\n\n[1] <https://about.gitlab.com/releases/2024/01/11/critical-security-release-gitlab-16-7-2-released/>\n",
    "content_html": "<p><em>History:</em></p><ul><li><em>12/01/2024 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>On January 11, 2024, GitLab released a security advisory addressing several vulnerabilities, including critical ones that, if exploited, could lead to account takeover, or slack command execution.</p><p>It is recommended upgrading as soon as possible.</p><h2 id=\"technical-details\">Technical Details</h2><ul><li>The vulnerability <code>CVE-2023-7028</code>, with a CVSS score of 10, allows user account password reset emails to be sent to unverified email addresses, leading to potential account takeovers.</li><li>The vulnerability <code>CVE-2023-5356</code>, with a CVSS score of 9.6, allows a user to abuse Slack and Mattermost integrations to execute slash commands as another user.</li><li>The vulnerability <code>CVE-2023-4812</code>, with a CVSS score of 7.6, would allow a user to bypass the required <code>CODEOWNERS</code> approval by adding changes to a previously approved merge request.</li></ul><h2 id=\"affected-products\">Affected Products</h2><ul><li>The vulnerability <code>CVE-2023-7028</code> affects GitLab Community Edition (CE) and Enterprise Edition (EE) versions: <ul><li>16.1 prior to 16.1.6;</li><li>16.2 prior to 16.2.9;</li><li>16.3 prior to 16.3.7;</li><li>16.4 prior to 16.4.5;</li><li>16.5 prior to 16.5.6;</li><li>16.6 prior to 16.6.4;</li><li>16.7 prior to 16.7.2.</li></ul></li></ul><p><em>Within these versions, all authentication mechanisms are impacted. Additionally, users who have two-factor authentication enabled are vulnerable to password reset but not account takeover as their second authentication factor is required to login.</em></p><ul><li><p>The vulnerability <code>CVE-2023-5356</code> affects GitLab Community Edition (CE) and Enterprise Edition (EE) versions:</p><ul><li>from 8.13 prior to 16.5.6;</li><li>from 16.6 prior to 16.6.4;</li><li>from 16.7 prior to 16.7.2.</li></ul></li><li><p>The vulnerability <code>CVE-2023-4812</code> affects GitLab Community Edition (CE) and Enterprise Edition (EE) versions:</p><ul><li>from 15.3 prior to 16.5.5;</li><li>from 16.6 prior to 16.6.4;</li><li>from 16.7 prior to 16.7.2.</li></ul></li></ul><h2 id=\"recommendations\">Recommendations</h2><p>It is strongly recommended to upgrade all GitLab installations to one of the new versions immediately. The release also emphasises the importance of enabling Two-Factor Authentication (2FA) for additional security.</p><h3 id=\"detection\">Detection</h3><p>At the moment, the editor did not detect any abuse of the vulnerability <code>CVE-2023-7028</code> on platforms managed by GitLab, including <code>GitLab.com</code> and GitLab Dedicated instances. Nevertheless, regarding the self-managed instances, customers can review their logs to check for possible attempts to exploit this vulnerability:</p><ul><li>Check <em>\"gitlab-rails/production</em>json.log\"_ for HTTP requests to the <code>/users/password</code> path with <code>params.value.email</code> consisting of a JSON array with multiple email addresses.</li><li>Check <em>\"gitlab-rails/audit</em>json.log\"_ for entries with <code>meta.caller.id</code> of <code>PasswordsController#create</code> and <code>target_details</code> consisting of a JSON array with multiple email addresses.</li></ul><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://about.gitlab.com/releases/2024/01/11/critical-security-release-gitlab-16-7-2-released/\">https://about.gitlab.com/releases/2024/01/11/critical-security-release-gitlab-16-7-2-released/</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}