Threat Intelligence / CVE / CVE-2023-7028
CVE-2023-7028
CISA KEVAn issue has been discovered in GitLab CE/EE affecting all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.3 prior to 16.3.7, 16.4 prior to 16.4.5, 16.5 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2 in which user account password reset emails could be delivered to an unverified email address.
CVSS v3 vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-640
Threats tracking this CVE
- APT35 (Charming Kitten) GCC Pre-Positioning Cyber Reconnaissance Campaign Enabling Kinetic Targeting — CRITICAL
References
- https://gitlab.com/gitlab-org/gitlab/-/issues/436084
- https://hackerone.com/reports/2293343
- https://www.vicarius.io/vsociety/posts/critical-gitlab-account-takeover-vulnerability-cve-2023-7028
Full detection coverage & IOCs for threats exploiting CVE-2023-7028 are available via the Threadlinqs MCP server (Purple tier). View plans →