"🔐 #GitLabSecurityAlert - Multiple Critical Vulnerabilities Patched in GitLab 🚨"

📰 GitLab has released critical updates (16.7.2, 16.6.4, 16.5.6) addressing several security vulnerabilities, including a critical account takeover flaw and a Slack/Mattermost integration exploit. Users are urged to update immediately.

1️⃣ The most severe, CVE-2023-7028, allowed password reset emails to be sent to unverified addresses (CVSS 10.0).
2️⃣ CVE-2023-5356 permitted unauthorized execution of slash commands in Slack/Mattermost integrations (CVSS 9.6).
3️⃣ CVE-2023-4812 involved bypassing CODEOWNERS approval in merge requests (CVSS 7.6).
4️⃣ CVE-2023-6955, a medium severity issue, related to improper access control in GitLab Remote Development (CVSS 6.6).
5️⃣ The least critical, CVE-2023-2030, allowed alteration of metadata in signed commits (CVSS 3.5).

Kudos to the security researchers (@asterion04, @yvvdwf, @ali_shehab, @lotsofloops on HackerOne) and GitLab's @j.seto for identifying these issues. Stay secure, folks!

Source: GitLab Release Notes
Author: Greg Myers

Tags: #Cybersecurity #Vulnerability #GitLab #CVE2023 #PatchUpdate #InfoSec #HackerOne #DevSecOps 🛡️💻🔧