BI.ZONE WAF handles five vulnerabilities in GitLab

GitLab, the company behind the open‑source software development platform of the same name, reported five security vulnerabilities on January 12

January 18, 2024

Two of them—CVE-2023-7028 and CVE-2023-5356—are critical. Their CVVS severity scores are 10 out of 10 and 9.8 out of 10, respectively. The two vulnerabilities stem from logic errors and threaten companies whose GitLab instances are publicly accessible.

CVE-2023-7028 affects the authentication process. Due to this vulnerability, emails for resetting passwords could leak to unverified addresses without notifying the legitimate account user. The issue allows adversaries to get hold of user accounts, steal source codes, or plant malicious fragments in them. The consequences could be serious for the entire organization, as GitLab is commonly used to store code, API keys, and other sensitive data. At the same time, an exploit for this vulnerability is already publicly available.

GitLab has released patches to fix the vulnerability in versions 16.5.6, 16.6.4, and 16.7.2, and pushed the fix to versions 16.1.6, 16.2.9, 16.3.7, and 16.4.5. The following versions remain vulnerable:

from 16.1 to 16.1.6 from 16.2 to 16.2.9 from 16.3 to 16.3.7 from 16.4 to 16.4.5 from 16.5 to 16.5.6 from 16.6 to 16.6.4 from 16.7 to 16.7.2

By exploiting the CVE-2023-5356 vulnerability, adversaries can execute slash commands, such as delete or modify a piece of code in GitLab on behalf of other users. This requires GitLab to be integrated with the enterprise messengers Slack or Mattermost. In Mattermost, slash commands allow the user to integrate external applications into the workspace, while in Slack they are used as shortcuts to invoke applications in the Message Composer window.

GitLab has fixed the issue in versions 16.5.6, 16.6.4, and 16.7.2 The following versions still remain vulnerable:

from 8.13 to 16.5.6 from 16.6 to 16.6.4 from 16.7 to 16.7.2

The other three vulnerabilities reported by GitLab are less severe. Nevertheless, they can lead to sensitive data exposure. In the case of CVE-2023-4812, the required CODEOWNERS approval could be bypassed by adding changes to a previously approved merge request. CVE-2023- 6955 enables adversaries to create a workspace in one group that is associated with an agent from another group. Using CVE-2023-2030, attackers could potentially modify the metadata of signed commits.

Not all companies are ready to immediately migrate to new GitLab versions. For such companies, we can activate special protection rules. Since the vulnerabilities affect the business logic of applications, BI.ZONE WAF employs personalized rules that take into account the specifics of a particular company, rather than mass rules. We also recommend that users set up two‑factor authentication. Since one of the vulnerabilities allows attackers to send a password reset request to a random email, two‑factor authentication can keep the data secure.

Dmitry Tsarev

Head of Cloud Security Solutions, BI.ZONE

BI.ZONE WAF provides multilayer protection of web applications and APIs, counteracts bot activity, and identifies vulnerabilities. The service can be used to protect web applications of critical infrastructure objects, government databases, and personal data systems.