CISA Warns of Active Exploitation of Severe GitLab Password Reset Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical flaw impacting GitLab to its Known Exploited Vulnerabilities (KEV) catalog, owing to active exploitation in the wild.

Tracked as CVE-2023-7028 (CVSS score: 10.0), the maximum severity vulnerability could facilitate account takeover by sending password reset emails to an unverified email address.

GitLab, which disclosed details of the shortcoming earlier this January, said it was introduced as part of a code change in version 16.1.0 on May 1, 2023.

“Within these versions, all authentication mechanisms are impacted,” the company noted at the time. “Additionally, users who have two-factor authentication enabled are vulnerable to password reset but not account takeover as their second authentication factor is required to login.”

Successful exploitation of the issue can have serious consequences as it not only enables an adversary to take control of a GitLab user account, but also steal sensitive information, credentials, and even poison source code repositories with malicious code, leading to supply chain attacks.

“For instance, an attacker gaining access to the CI/CD pipeline configuration could embed malicious code designed to exfiltrate sensitive data, such as Personally Identifiable Information (PII) or authentication tokens, redirecting them to an adversary-controlled server,” cloud security firm Mitiga said in a recent report.

“Similarly, tampering with repository code might involve inserting malware that compromises system integrity or introduces backdoors for unauthorized access. Malicious code or abuse of the pipeline could lead to data theft, code disruption, unauthorized access, and supply chain attacks.”

The flaw has been addressed in GitLab versions 16.5.6, 16.6.4, and 16.7.2, with the patches also backported to versions 16.1.6, 16.2.9, 16.3.7, and 16.4.5.

CISA has yet to provide any other details as to how the vulnerability is being exploited in real-world attacks. In light of active abuse, federal agencies are required to apply the latest fixes by May 22, 2024, to secure their networks.

Ravie Lakshmanan

Kommentar verfassen Kommentieren abbrechen

London, GB

9:57 am, Juni 28, 2025

22°C

L: 21° | H: 23°

Fühlt sich an wie 22°C° overcast clouds

Luftfeuchtigkeit: 80 %

Druck: 1023 mb

Wind: 12 mph SW

Windböe: 0 mph

UV-Index: 0

Niederschlag: 0 mm

Wolken: 100%

Regen Chance: 0%

Sichtbarkeit: 10 km

Sonnenaufgang: 4:45 am

Sonnenuntergang: 9:21 pm

TäglichStündlich

Tägliche VorhersageStündliche Vorhersage

Today 10:00 pm

21° | 23°°C 0 mm 0% 12 mph 80 % 1025 mb 0 mm/h

Tomorrow 10:00 pm

18° | 31°°C 0 mm 0% 7 mph 81 % 1026 mb 0 mm/h

Mo. Juni 30 10:00 pm

21° | 35°°C 0.2 mm 20% 9 mph 67 % 1021 mb 0 mm/h

Di. Juli 01 10:00 pm

22° | 32°°C 0 mm 0% 9 mph 73 % 1018 mb 0 mm/h

Mi. Juli 02 10:00 pm

17° | 27°°C 1 mm 100% 18 mph 87 % 1020 mb 0 mm/h

Today 10:00 am

22° | 22°°C 0 mm 0% 10 mph 80 % 1023 mb 0 mm/h

Today 1:00 pm

23° | 26°°C 0 mm 0% 12 mph 73 % 1023 mb 0 mm/h

Today 4:00 pm

23° | 24°°C 0 mm 0% 12 mph 60 % 1023 mb 0 mm/h

Today 7:00 pm

24° | 24°°C 0 mm 0% 10 mph 58 % 1023 mb 0 mm/h

Today 10:00 pm

23° | 23°°C 0 mm 0% 8 mph 68 % 1025 mb 0 mm/h

Tomorrow 1:00 am

20° | 20°°C 0 mm 0% 7 mph 72 % 1025 mb 0 mm/h

Tomorrow 4:00 am

18° | 18°°C 0 mm 0% 4 mph 81 % 1025 mb 0 mm/h

Tomorrow 7:00 am

19° | 19°°C 0 mm 0% 4 mph 74 % 1026 mb 0 mm/h

Name	Preis	24H (%)
Bitcoin(BTC)	€91,641.36	0.39%
Ethereum(ETH)	€2,067.60	-1.32%
Fesseln(USDT)	€0.85	0.00%
XRP(XRP)	€1.86	3.87%
Solana(SOL)	€124.90	2.80%
USDC(USDC)	€0.85	-0.01%
Dogecoin(DOGE)	€0.138977	0.64%
Shiba Inu(SHIB)	€0.000009	0.92%
Pepe(PEPE)	€0.000008	-0.01%

CISA Warns of Active Exploitation of Severe GitLab Password Reset Vulnerability

Teilen:

Kommentar verfassen Kommentieren abbrechen

Verbindung zum Dienstprogramm

Nützlicher Link

Newsletter

Folgen Sie uns