Welcome to DU! The truly grassroots left-of-center political community where regular people, not algorithms, drive the discussions and set the standards. Join the community: Create a free account Support DU (and get rid of ads!): Become a Star Member Latest Breaking News Editorials & Other Articles General Discussion The DU Lounge All Forums Issue Forums Culture Forums Alliance Forums Region Forums Support Forums Help & Search

Computer Help and Support

Passages

(747 posts) Thu May 2, 2024, 10:18 AM May 2024

CISA Warns of Active Exploitation of Severe GitLab Password Reset Vulnerability

May 02, 2024

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical flaw impacting GitLab to its Known Exploited Vulnerabilities (KEV) catalog, owing to active exploitation in the wild.

Tracked as CVE-2023-7028 (CVSS score: 10.0), the maximum severity vulnerability could facilitate account takeover by sending password reset emails to an unverified email address.

GitLab, which disclosed details of the shortcoming earlier this January, said it was introduced as part of a code change in version 16.1.0 on May 1, 2023.

"Within these versions, all authentication mechanisms are impacted," the company noted at the time. "Additionally, users who have two-factor authentication enabled are vulnerable to password reset but not account takeover as their second authentication factor is required to login."
https://thehackernews.com/2024/05/cisa-warns-of-active-exploitation-of.html?_m=3n%2e009a%2e3345%2eqb0ao44uux%2e2ckw

Reply to this discussion