Federal frenzy to patch gaping GitLab account takeover hole

The US Cybersecurity and Infrastructure Security Agency (CISA) has mandated that all federal agencies patch a critical GitLab vulnerability actively exploited since its introduction in May 2023. This flaw, identified as CVE-2023-7028, allows unauthorized account takeovers via a password reset exploit. Federal agencies have up to 21 days to address this issue listed on CISA's Known Exploited Vulnerabilities catalog.

GitLab has already issued fixes for this vulnerability across several versions of its software, significantly reducing the number of exposed instances. Despite the severity, enabling two-factor authentication (2FA) can protect users from this security flaw. The urgency to patch this vulnerability stems from potential risks of software supply chain attacks, similar to past incidents involving adversarial nations and ransomware groups.