CVE-2023-7028
Published: 12 January 2024
Summary
CVE-2023-7028 is a critical-severity Weak Password Recovery Mechanism for Forgotten Password (CWE-640) vulnerability in Gitlab Gitlab. Its CVSS base score is 10.0 (Critical).
Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and IA-5 (Authenticator Management).
Deeper analysis
CVE-2023-7028 is a vulnerability in GitLab Community Edition and Enterprise Edition that affects all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.3 prior to 16.3.7, 16.4 prior to 16.4.5, 16.5 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2. The flaw allows user account password reset emails to be delivered to an unverified email address, corresponding to CWE-640 and carrying a CVSS 3.1 score of 10.0.
An unauthenticated attacker can exploit the issue over the network to trigger password resets that reach an attacker-controlled or unverified address, enabling full account takeover with impacts to confidentiality and integrity but not availability.
Advisories hosted at the referenced GitLab issue tracker and HackerOne report direct administrators to upgrade affected instances to the listed fixed releases. The associated EPSS score has reached a peak of 0.9650 with a current value of 0.9343.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-59219
Vulnerability details
An issue has been discovered in GitLab CE/EE affecting all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.3 prior to 16.3.7, 16.4 prior to 16.4.5, 16.5 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to…
more
16.7.2 in which user account password reset emails could be delivered to an unverified email address.
- CWE(s)
- KEV Date Added
- 01 May 2024
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
IA-5 requires secure management of authenticators, including password reset flows that must only deliver tokens to verified email addresses under the account owner's control.
AC-2 mandates procedures for account provisioning and maintenance that include verification of contact information before allowing password-reset actions.
AC-3 enforces approved authorization policies at runtime, preventing the password-reset function from acting on an unverified email address.