An issue has been discovered in GitLab CE/EE affecting all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.3 prior to 16.3.7, 16.4 prior to 16.4.5, 16.5 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2 in which user account password reset emails could be delivered to an unverified email address.
Poc tested on Kali 2023.3
- Install GitLab 16.7.0-ee in docker
#sudo docker pull gitlab/gitlab-ee:16.7.0-ee.0
#sudo docker run --detach --publish 8443:443 --publish 2222:22 --publish 8080:80 --name gitlab-container --restart always --volume $GITLAB_HOME/config:/etc/gitlab --volume $GITLAB_HOME/logs:/var/log/gitlab --volume $GITLAB_HOME/data:/var/opt/gitlab --shm-size 256m gitlab/gitlab-ee:16.7.0-ee.0
be patient it take some times to start!
-
setup smtp in the gitlab container https://docs.gitlab.com/omnibus/settings/smtp.html
-
Log in gitlab
#sudo docker exec -it gitlab-container grep "Password:" /etc/gitlab/initial_root_password Login/pass: root/result of grep above
- create an account by going to "Admin Area" and Users
next create a user with a valid email account and validate your account
-
run the poc
./cve-2023-7028.sh https://gitlab.site.com useremail@gitlab.site.com otheremail@otherdomain.com
-
result an email is send to the original email adress AND the other email adress
Workaround/Fix: https://about.gitlab.com/releases/2024/01/11/critical-security-release-gitlab-16-7-2-released/
more about me ;) https://www.linkedin.com/in/duy-huan-bui/