CVE-2023-7028

Summary

An issue has been discovered in GitLab CE/EE affecting all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.3 prior to 16.3.7, 16.4 prior to 16.4.5, 16.5 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2 in which user account password reset emails could be delivered to an unverified email address.

Affected Software

VendorProductVersion RangeStatus
GitLabGitLab16.1 < 16.1.6affected
GitLabGitLab16.2 < 16.2.9affected
GitLabGitLab16.3 < 16.3.7affected
GitLabGitLab16.4 < 16.4.5affected
GitLabGitLab16.5 < 16.5.6affected
GitLabGitLab16.6 < 16.6.4affected
GitLabGitLab16.7 < 16.7.2affected

Weaknesses

  • CWE-640: CWE-640: Weak Password Recovery Mechanism for Forgotten Password

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: active
    • Automatable: yes
    • Technical Impact: total

Additional References

CVE Program Container

Additional References

References