High-severity GitLab flaw lets attackers take over accounts

GitLab, a popular software development platform, has recently patched two high-severity security vulnerabilities that could have allowed attackers to compromise user accounts. The first, CVE-2024-4835, affected the VS Code editor and required user interaction, allowing attackers to potentially steal sensitive information through malicious websites. However, the second vulnerability, CVE-2023-7028, was more concerning, allowing attackers to completely hijack GitLab accounts without any user interaction.

This zero-click exploit enabled attackers to send password reset emails to malicious addresses, granting them full access to the compromised accounts. The severity of this vulnerability led the US government to mandate federal agencies to patch the issue within three weeks.

Early reports indicate that over 5,300 vulnerable GitLab instances were identified earlier this year. While the exact number of affected accounts remains unknown, the vulnerability was actively exploited by attackers. Thankfully, less than half of the vulnerable instances remain accessible, indicating significant progress in remediation efforts.

The exploitation of these vulnerabilities highlights the critical importance of promptly patching security flaws. Compromised GitLab accounts could have granted attackers access to sensitive source code, project data, and potentially even intellectual property.

Recommendations for Users

GitLab has released patches for both vulnerabilities. Users are strongly encouraged to update their installations immediately to protect themselves from exploitation. Additionally, organizations should implement strong password policies, enable multi-factor authentication, and regularly monitor their systems for any signs of compromise.

Ongoing Security Efforts

This incident underscores the ongoing challenges of securing software platforms in an increasingly hostile cyber environment. GitLab remains committed to prioritizing security and responding promptly to vulnerabilities. The company has also implemented various security features and processes to enhance the platform's overall security posture.

 

Bleeping Computer 05/23/2024