On 12 January 2024, GitLab released emergency patches for two critical vulnerabilities, namely:
CVE-2023-7028 (CVSS 10) enables a potential unauthenticated attacker to send a password request to a random and unverified email address. The vulnerability can be triggered without user interaction which makes it particularly concerning. This security issue should be treated with the highest level of priority by all organizations. There is a significant risk exposure to account hijacking particularly for organizations that use GitLab to host sensitive data including API keys and proprietary code. Impacted versions include: 6.1 prior to116.1.5, 16.2 prior to 16.2.8, 16.3 prior to 16.3.6, 16.4 prior to 16.4.4, 16.5 prior to 16.5.6, 16.6 prior to 16.6.4, 16.7 prior to 16.7.2. GitLab recommends to upgrade vulnerable versions and to implement multi-factor authentication, especially on privileged accounts.
CVE-2023-5356 (CVSS 9.6) enables a potential attacker to abuse Slack/Mattermost integrations to execute slash commands as another user due to an incorrect authorization check. Impacted versions include all versions starting from 8.13 before 16.5.6, all versions starting from 16.6 before 16.6.4, all versions starting from 16.7 before 16.7.2.