Cyber Resilience

CVE-2023-7028

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 12 January 2024

Published
12 January 2024
Modified
24 October 2025
KEV Added
01 May 2024
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
EPSS Score 0.9343 99.8th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-7028 is a critical-severity Weak Password Recovery Mechanism for Forgotten Password (CWE-640) vulnerability in Gitlab Gitlab. Its CVSS base score is 10.0 (Critical).

Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and IA-5 (Authenticator Management).

Deeper analysis

CVE-2023-7028 is a vulnerability in GitLab Community Edition and Enterprise Edition that affects all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.3 prior to 16.3.7, 16.4 prior to 16.4.5, 16.5 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2. The flaw allows user account password reset emails to be delivered to an unverified email address, corresponding to CWE-640 and carrying a CVSS 3.1 score of 10.0.

An unauthenticated attacker can exploit the issue over the network to trigger password resets that reach an attacker-controlled or unverified address, enabling full account takeover with impacts to confidentiality and integrity but not availability.

Advisories hosted at the referenced GitLab issue tracker and HackerOne report direct administrators to upgrade affected instances to the listed fixed releases. The associated EPSS score has reached a peak of 0.9650 with a current value of 0.9343.

EU & UK References

Vulnerability details

An issue has been discovered in GitLab CE/EE affecting all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.3 prior to 16.3.7, 16.4 prior to 16.4.5, 16.5 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to…

more

16.7.2 in which user account password reset emails could be delivered to an unverified email address.

CWE(s)
KEV Date Added
01 May 2024

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

gitlab
gitlab
16.1.0 — 16.1.6 · 16.1.0 — 16.1.6 · 16.2.0 — 16.2.9

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

IA-5 requires secure management of authenticators, including password reset flows that must only deliver tokens to verified email addresses under the account owner's control.

prevent

AC-2 mandates procedures for account provisioning and maintenance that include verification of contact information before allowing password-reset actions.

prevent

AC-3 enforces approved authorization policies at runtime, preventing the password-reset function from acting on an unverified email address.

References