Content written for

Individuals & families
Small & medium business
Large organisations & infrastructure
Government

This alert is relevant to Australians who use GitLab on any platform.

These vulnerabilities impact the versions listed below:

  • 16.1 to 16.1.5
  • 16.2 to 16.2.8
  • 16.3 to 16.3.6
  • 16.4 to 16.4.4
  • 16.5 to 16.5.5
  • 16.6 to 16.6.3
  • 16.7 to 16.7.1

This alert is intended to be understood by all users.

Customers are encouraged to patch to the latest version using the GitLab upgrade path and to enforce multi-factor authentication for all GitLab accounts.

Background / What has happened?

  • GitLab has posted a security advisory and patch to address several vulnerabilities, the most severe of which is CVE-2023-7028.
  • CVE-2023-7028 allows an account take over via the ability to have password reset emails delivered to an unauthenticated email address.
  • Multi-factor authentication should be enabled immediately for all GitLabs users, and self-managed instances should be upgraded to the latest version as soon as possible.
  • Users with multi-factor authentication already enabled may be impacted by a password reset, however an attacker would not be able to take over their account using this vulnerability.
  • GitLab is not aware of any active exploitation of this vulnerability which was discovered via their Bug Bounty program.

Affected versions / applications:

  • CVE-2023-7028: This vulnerability impacts all versions of GitLab CC/EE from 16.1 to 16.1.6, 16.2 prior to 16.2.9, 16.3 prior to 16.3.7, 16.4 prior to 16.4.5, 16.5 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2
  • The security release also addresses CVE-2023-5356, CVE-2023-4812, CVE2023-6955 and CVE-2023-2030.

Mitigation / How do I stay secure?

Assistance / Where can I go for help?

Organisations or individuals that have been impacted or require assistance can contact us via 1300 CYBER1 (1300 292 371).

Was this information helpful?

Thanks for your feedback!

Optional

Tell us why this information was helpful and we’ll work on making more pages like it