GitLab Releases Updates to Address Critical Vulnerabilities

  /     /     /  
Publicated : 23/11/2024   Category : security


GitLab Releases Updates to Address Critical Vulnerabilities


Two vulnerabilities are critical, and three others are determined to be of high, medium, and low severity.



In a newly released update, GitLab reports that it is releasing versions 16.7.2, 16.6.3, and 16.5.6 for GitLab Community Edition (CE) as well as Enterprise Edition (EE) in order to
address a series of critical vulnerabilities
.
Two critical vulnerabilities, alongside one each for high, medium, and low, are listed as part of the fixes that the vendor is urgently recommending as soon as possible. 
The first critical vulnerability — tracked as CVE-2023-7028 — is an authentication issue that allows password resets to be sent to unverified email addresses and has a maximum severity score of 10. Threat actors dont need interaction to successfully exploit this vulnerability, though
GitLab
noted that it has not detected any active exploitation.
The versions affected are 16.1 prior to 16.1.5; 16.2 prior to 16.2.8; 16.3 prior to 16.3.6; 16.4 prior to 16.4.4; 16.5 prior to 16.5.6; 16.6 prior to 16.6.4; and 16.7 prior to 16.7.2.
The second critical vulnerability — tracked as CVE-2023-5356 — can be used to impersonate another user to execute slash commands in order to abuse Slack/Mattermost. There are incorrect authorization checks in all versions starting from 8.13 before 16.5.6, all versions from 16.6 before 16.6.4, and all versions from 16.7 before 16.7.2.
The three other vulnerabilities mentioned in the report are related to bypass CODEOWNERS approval removal (
CVE-2023-4812
), workspaces created under different root namespace (
CVE-2023-6955
), and modification of the metadata of signed commits (
CVE-2023-2030
). 
GitLab recommends upgrading
and enabling two-factor authentication for all accounts.  

Last News

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
GitLab Releases Updates to Address Critical Vulnerabilities