Patches must be installed promptly
Gitlab warned two weeks ago about CVE-2023-7028 and a number of other vulnerabilities. At the time, a widely used source code management software provider was offering patches for many Gitlab releases. Systems are protected from versions 16.1.6, 16.2.9, 16.3.7, 16.4.5, 16.5.6, 16.6.4, and 16.7.2. Administrators are strongly encouraged to update their Gitlab instances if they have not already done so.
CVE-2023-7028 allows malicious actors to reset other Gitlab users' passwords via an unverified email address. This allows them to have full control over external user accounts. Anyone using Gitlab via the provider's website probably doesn't have to worry about their account, as the company has already patched its own systems.
In addition, the provider recommends that all users activate two-factor authentication (2FA) – especially if the account in question is equipped with extended access rights. With 2FA activated, an attacker on unpatched instances can still reset another user's password with CVE-2023-7028, but this will prevent them from taking over the account.
