Security Advisory

GitLab Product Security Update Advisory (CVE-2023-7028, CVE-2023-5356, CVE-2023-4812, CVE-2023-6955, CVE-2023-2030)

  • Jan 16 2024

Overview

 

GitLab has released a security update to fix vulnerabilities in its products. Users of affected systems are advised to update to the latest version.

 

Affected Products

 

CVE-2023-7028

  • GitLab CE/EE 16.1: All versions before 16.1.6
  • GitLab CE/EE 16.2: All versions before 16.2.9
  • GitLab CE/EE 16.3: All versions before 16.3.7
  • GitLab CE/EE 16.4: All versions before 16.4.5
  • GitLab CE/EE 16.5: All versions before 16.5.6
  • GitLab CE/EE 16.6: All versions below 16.6.4
  • GitLab CE/EE 16.7: All versions before 16.7.2

 

CVE-2023-4812

  • GitLab CE/EE 15.3 and above and all versions before 16.5.5
  • GitLab CE/EE 16.6: All versions before 16.6.4
  • GitLab CE/EE 16.7 and later, all versions before 16.7.2

 

CVE-2023-5356

  • GitLab CE/EE 8.13 and later and all versions before 16.5.6
  • GitLab CE/EE 16.6 and later and all versions before 16.6.4
  • GitLab CE/EE 16.7 and later and all versions before 16.7.2

 

CVE-2023-6955

  • All versions of GitLab CE/EE before 16.5.6
  • GitLab CE/EE 16.6 and later and all versions before 16.6.4
  • GitLab CE/EE 16.7 and later and all versions before 16.7.2

 

CVE-2023-2030

  • GitLab CE/EE 12.2 and later and all versions before 16.5.6
  • GitLab CE/EE 16.6 or later and all versions before 16.6.4
  • GitLab CE/EE 16.7 and later and all versions before 16.7.2

 

Resolved Vulnerabilities

 

  • CVE-2023-7028: Account takeover vulnerability where a user account password reset email could be delivered to an unverified email.
  • CVE-2023-4812: Required CODEOWNERS authorization bypass vulnerability.
  • CVE-2023-5356: Vulnerability in integrated slack and mattermost that could allow slash commands to be forwarded to other users due to incorrect authentication checks.
  • CVE-2023-6955: Improper access control vulnerability in GitLab Remote Development, which could allow an attacker to create a workspace in the root namespace associated with an agent in a different group.
  • CVE-2023-2030: A vulnerability that could potentially modify the metadata of signed commits.

 

 

Vulnerability Patches

 

On January 11, the following vulnerability patches were made available. Users of affected versions are advised to update to the latest version.

 

CVE-2023-7028

  • GitLab CE/EE versions 16.1.6, 16.2.9, 16.3.7, 16.4.5, 16.5.6, 16.6.4, 16.7.2

 

CVE-2023-4812

  • GitLab CE/EE 16.5.5, 16.6.4, 16.7.2 versions

 

CVE-2023-5356

  • GitLab CE/EE 16.5.6, 16.6.4, 16.7.2 versions 

 

CVE-2023-6955

  • GitLab CE/EE 16.5.6, 16.6.4, 16.7.2 versions 

 

CVE-2023-2030

  • GitLab CE/EE 16.5.6, 16.6.4, 16.7.2 versions

 

Referenced Sites

 

[1] https://about.gitlab.com/releases/2024/01/11/critical-security-release-gitlab-16-7-2-released/

 

 

 

 

Tags:

Previous Post

Next Post