0-click GitLab hijacking flaw under active exploit, with thousands still unpatched
Briefly

from Ars Technica2 weeks ago
A maximum severity vulnerability in GitLab allows account hijacking without user interaction. The flaw carries a severity rating of 10/10 and works on accounts without multi-factor authentication.
Ars Technicahttps://arstechnica.com/security/2024/05/0-click-gitlab-hijacking-flaw-under-active-exploit-with-thousands-still-unpatched/
GitLab's recent change enabled account resets via secondary email, becoming an attack vector. The vulnerability allows attackers to send reset emails, click embedded links, and take over accounts.
Ars Technicahttps://arstechnica.com/security/2024/05/0-click-gitlab-hijacking-flaw-under-active-exploit-with-thousands-still-unpatched/
The US government warns of active exploitation of the GitLab vulnerability, now listed as CVE-2023-7028. CISA notes no details on current attacks. GitLab did not disclose specifics on the exploitation.
Ars Technicahttps://arstechnica.com/security/2024/05/0-click-gitlab-hijacking-flaw-under-active-exploit-with-thousands-still-unpatched/
The GitLab vulnerability poses a significant threat as attackers can access and modify users' development environments, potentially sabotaging projects or introducing backdoors, similar to the SolarWinds supply chain attack in 2021.
Ars Technicahttps://arstechnica.com/security/2024/05/0-click-gitlab-hijacking-flaw-under-active-exploit-with-thousands-still-unpatched/
Read at Ars Technica
#gitlab #vulnerability #account-hijacking #exploitation #cisa
[
add
]
[
|
|
]