Maximum-severity GitLab flaw allowing account hijacking under active exploitation
This one looks fun:
A maximum severity vulnerability that allows hackers to hijack GitLab accounts with no user interaction required is now under active exploitation, federal government officials warned as data showed that thousands of users had yet to install a patch released in January.
https://arstechnica.com/security/2024/05/0-click-gitlab-hijacking-flaw-under...
The vulnerability, tracked as CVE-2023-7028, carries a severity rating of 10 out of 10.
Make sure you're patched if you run GitLab! rb -- BCLUG.ca https://bclug.ca To subscribe, send an email to discuss-join@lists.bclug.ca List Web site: https://lists.bclug.ca/mailman/listinfo/discuss
Scott Allen wrote on 2024-05-02 15:39:
Make sure you're patched if you run GitLab!
What is meant by "patched"? I use FIDO security key based 2FA for my GitLab account login. Is there something else I need to do?
If you administer a GitLab instance, it looks like you ought to apply a patch from January. If you merely have an account, MFA / 2FA will prevent someone from taking over your account, but you may be susceptible to someone else generating password resets on your behalf. Which would amount to merely an inconvenience. rb
participants (2)
-
Ron / BCLUG -
Scott Allen