Vulnerability Description
An issue has been discovered in GitLab CE/EE affecting all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.3 prior to 16.3.7, 16.4 prior to 16.4.5, 16.5 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2 in which user account password reset emails could be delivered to an unverified email address.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Gitlab | Gitlab | >= 16.1.0, < 16.1.6 |
Related Weaknesses (CWE)
References
- https://gitlab.com/gitlab-org/gitlab/-/issues/436084ExploitIssue TrackingVendor Advisory
- https://hackerone.com/reports/2293343Permissions Required
- https://gitlab.com/gitlab-org/gitlab/-/issues/436084ExploitIssue TrackingVendor Advisory
- https://hackerone.com/reports/2293343Permissions Required
- https://www.vicarius.io/vsociety/posts/critical-gitlab-account-takeover-vulnerabExploitThird Party Advisory
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-US Government Resource
FAQ
What is CVE-2023-7028?
CVE-2023-7028 is a vulnerability with a CVSS score of 10.0 (CRITICAL). An issue has been discovered in GitLab CE/EE affecting all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.3 prior to 16.3.7, 16.4 prior to 16.4.5, 16.5 prior to 16.5.6, 16.6 prior to 16....
How severe is CVE-2023-7028?
CVE-2023-7028 has been rated CRITICAL with a CVSS base score of 10.0/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2023-7028?
Check the references section above for vendor advisories and patch information. Affected products include: Gitlab Gitlab.