The addition of a vulnerability to the KEV catalogue obliges US government bodies to patch it immediately if affected - they have until later in May to do so - but also serves as a useful guide, and a timely warning, to enterprises and other organisations about what new vulnerabilities are most impactful, and therefore valuable to cyber criminals and other threat actors.
CVE-2023-7028 affects all versions of GitLab C/EE from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.3 prior to 16.3.7, 16.4 prior to 16.4.5, 16.5 prior to 16.5.6, 16.6 prior to 16.6.4 and 16.7 prior to 16.7.2. Users should update to versions 16.7.2, 16.6.4 and 16.5.6 immediately.
"We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards," wrote GitLab's Greg Meyers in the organisation's disclosure notice.
Beyond applying the fix, organisations may wish to consider enabling multi-factor authentication (MFA) across their GitLab accounts, and rotate all secrets stored in GitLab, including credent.
[
add
]
[
|
|
...
]