GitLab vulnerability: 5,300+ self-hosted servers exposed to an account takeover attacks

Over 5,300 GitLab instances were vulnerable to CVE-2023-7028, a critical zero-click account takeover vulnerability disclosed by GitLab. A zero-click account takeover exploit is a vulnerability that allows an attacker to gain unauthorized access to a user's account without any interaction from the victim.

This flaw, rated at a severity level of 10.0, enables attackers to redirect password reset emails to an attacker-controlled address, facilitating unauthorized account access. Notably, accounts without two-factor authentication (2FA) are significantly at risk. It affects several versions of GitLab Community and Enterprise Edition, specifically versions 16.1 to 16.7 prior to the release of patches on January 11, 2024. GitLab has since issued fixes in versions 16.7.2, 16.5.6, and 16.6.4 and provided backported patches for earlier versions.

ShadowServer reported on Jan. 23 that over 5,300 vulnerable gitlab instances were exposed online. On 29th january, 3112 servers were still vulnerable. It could present risks of supply chain attacks, proprietary code leaks, and other security breaches. If you setup your own Gitlab instance, we recommed you to rotate your credentials, enable 2FA, and apply security updates, and use SSO login. Also consult GitLab's incident response guide for detection and remediation steps.

To detect if you've been compromised, GitLab shared the following detection tips for defenders:

  • Check gitlab-rails/production_json.log for HTTP requests to the /users/password path with params.value.email consisting of a JSON array with multiple email addresses.
  • Check gitlab-rails/audit_json.log for entries with meta.caller.id of PasswordsController#create and target_details consisting of a JSON array with multiple email addresses.

Adding HackersBait can help detect intrusion early and mitigate potential security breaches before they escalate.