Public
- Public
- Network
- Groups
- Featured
- Popular
- People

Conversation

Notices

Embed this notice
Harry Sintonen (harrysintonen@infosec.exchange)'s status on Saturday, 13-Jan-2024 17:37:20 JST Harry Sintonen

The #GitLab #vulnerability allowing trivial account hijacking (CVE-2023-7028) will lead to ton of problems: It will allow malicious actors to perform #supplychain #attacks - something that will allow attacker to gain access to 3rd party who don't themselves run GitLab but just include from projects that do. I would suggest great caution regardless if you run GitLab yourself or not.
Naturally anyone using GitLab themselves must update as soon as possible. I would also suggest performing forensic investigation to find out if you have already been compromised, and take further action in case compromise has already occurred. Check "Were any accounts actually compromised due to this vulnerability?" section in this post for details: https://about.gitlab.com/releases/2024/01/11/critical-security-release-gitlab-16-7-2-released/
In conversation about a year ago from infosec.exchange permalink
Attachments
1. Domain not in remote thumbnail source whitelist: about.gitlab.com
  
  GitLab Critical Security Release: 16.7.2, 16.6.4, 16.5.6
  
  from @GitLab
  
  Learn more about GitLab Critical Security Release: 16.7.2, 16.6.4, 16.5.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).

Feeds