{"id":55176,"date":"2024-01-26T15:14:33","date_gmt":"2024-01-26T15:14:33","guid":{"rendered":"https:\/\/packetstormsecurity.com\/news\/view\/35452\/5.3k-Servers-Still-Vulnerable-To-GitLab-Password-Reset-Flaw.html"},"modified":"2024-01-26T15:14:33","modified_gmt":"2024-01-26T15:14:33","slug":"5-3k-servers-still-vulnerable-to-gitlab-password-reset-flaw","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/5-3k-servers-still-vulnerable-to-gitlab-password-reset-flaw\/","title":{"rendered":"5.3k Servers Still Vulnerable To GitLab Password Reset Flaw"},"content":{"rendered":"
<\/div>\n

Critical GitLab vulnerability CVE-2023-7028<\/a> was not patched on more than 5,300 servers as of Tuesday, potentially enabling remote takeover of software developers\u2019 accounts.<\/p>\n

The bug, with a maximum CVSS score of 10, was first disclosed and patched by GitLab<\/a> on Jan. 11. The vulnerability in GitLab\u2019s login system would allow an attacker to have a password reset link sent to their own unverified email address without any user interaction by the victim.<\/p>\n

\u201cAccount takeover can be achieved by crafting a specially formatted HTTP request that is capable of sending a password reset email to an unverified email address in an unpatched version,\u201d a GitLab spokesperson told SC Media in a Jan. 12 email.<\/p>\n

Security updates were released for GitLab versions 16.5.6, 16.6.4 and 16.7.2 and backported to versions 16.1.6, 16.2.9, 16.3.7 and 16.4.5, as well.<\/p>\n

One researcher who tested the bug on GitLab Community Edition version 16.6.1 and shared their results on AttackerKB<\/a> said CVE-2023-7028 was, \u201cVery effective and easy to exploit.\u201d<\/p>\n

Nearly two weeks after patches became available, 5,379 vulnerable instances of GitLab<\/a> were detected worldwide by the Shadowserver Foundation. The nonprofit organization, which monitors malicious activity online, posted the data from Jan. 23 on X<\/a>, noting that the United States and Germany had the most vulnerable instances, with 964 and 730 respectively.<\/p>\n

Shadowserver\u2019s dashboard tool<\/a> showed fewer vulnerable instances (4,652) on Jan. 24. A Shadowserver spokesperson confirmed with SC Media that there was “a drop in detected vulnerable instances, which is a positive development,” but that more time would be needed to determine whether this decrease was a trend or a “blip” in Shadowserver’s scans.<\/p>\n

Indicators of compromise for GitLab CVE-2023-7028<\/h2>\n

GitLab customers with self-managed instances of the affected products \u2014 GitLab Community Edition and GitLab Enterprise Edition \u2014 should review their logs for exploitation of CVE-2023-7028 using the two following methods, as outlined by GitLab:<\/p>\n

\n