> About Author
Hi, I'm Sharon, a product manager at Chaitin Tech. We build SafeLine, an open-source Web Application Firewall built for real-world threats. While SafeLine focuses on HTTP-layer protection, our emergency response center monitors and responds to RCE and authentication vulnerabilities across the stack to help developers stay safe.
In January 2024, GitLab issued a critical security patch for a devastating vulnerability: CVE-2023-7028. This flaw allowed unauthenticated attackers to reset passwords for arbitrary GitLab accounts, without any user interaction.
If you're running a vulnerable GitLab version, patching should be your top priority.
Why CVE-2023-7028 Is So Dangerous
- No login required
- No user interaction needed
- Easy to exploit
- Leads to full account takeover
Introduced in GitLab 16.1.0 (May 1, 2023), a new feature allowed users to reset passwords using self-defined email addresses. However, due to improper email validation, GitLab could send the reset link to unverified or even malicious email addresses.
Worse, the attacker could include multiple email addresses as a JSON arrayβone being their own.
How to Detect Exploitation
1. Check production_json.log
Look for suspicious requests to:
/users/password
Especially those where:
params.value.email = ["victim@example.com", "attacker@example.com"]
2. Check audit_json.log
Look for entries where:
meta.caller.id = PasswordsController#create-
target_detailscontains multiple email addresses
These patterns suggest possible past exploitation.
Potential Impact
- Account Takeover: An attacker could take over any GitLab account.
- Data Breach: Access to source code, project data, and user info.
SSO (e.g. SAML) users are affected. LDAP users are not, as they donβt use GitLabβs password reset.
Accounts with 2FA enabled are more secure β even if passwords are reset, attackers canβt bypass the second factor.
Affected Versions
Vulnerable versions include:
- 16.1.0 β€ version < 16.1.6
- 16.2.0 β€ version < 16.2.9
- 16.3.0 β€ version < 16.3.7
- 16.4.0 β€ version < 16.4.5
- 16.5.0 β€ version < 16.5.6
- 16.6.0 β€ version < 16.6.4
- 16.7.0 β€ version < 16.7.2
Temporary Mitigation
- Enable 2FA for all accounts (especially admin users)
- Avoid exposing GitLab to the public internet
- Apply network ACLs to restrict IP-based access
Official Patch
GitLab has released fixed versions.
π Download the latest patch here:
https://about.gitlab.com/releases/2024/01/11/critical-security-release-gitlab-16-7-2-released/
PoC Example (for education only)
Timeline
- Jan 11, 2024 β GitLab publishes the advisory
- Jan 12, 2024 β PoC and analysis by Chaitin Tech
- Jan 12, 2024 β Public disclosure via security channels
About GitLab
GitLab is an open-source DevOps platform that provides everything from source code management and CI/CD pipelines to monitoring and security β all in one place.
π References
Join the SafeLine Community
If you continue to experience issues, feel free to contact SafeLine support for further assistance.
Top comments (0)