← Back to CVEs
CVE-2023-7028
CRITICALCISA KEV10.0
Description
An issue has been discovered in GitLab CE/EE affecting all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.3 prior to 16.3.7, 16.4 prior to 16.4.5, 16.5 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2 in which user account password reset emails could be delivered to an unverified email address.
CVE Details
CVSS v3.1 Score10.0
SeverityCRITICAL
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
Attack VectorNETWORK
ComplexityLOW
Privileges RequiredNONE
User InteractionNONE
Published1/12/2024
Last Modified10/24/2025
Sourcekev
Honeypot Sightings0
CISA KEV
VendorGitLab
ProductGitLab CE/EE
Vulnerability NameGitLab Community and Enterprise Editions Improper Access Control Vulnerability
KEV Date Added2024-05-01
Remediation Due Date2024-05-22
Ransomware UseUnknown
Affected Products
gitlab:gitlab
Weaknesses (CWE)
CWE-640CWE-640
References
https://gitlab.com/gitlab-org/gitlab/-/issues/436084(cve@gitlab.com)
https://hackerone.com/reports/2293343(cve@gitlab.com)
https://gitlab.com/gitlab-org/gitlab/-/issues/436084(af854a3a-2127-422b-91ae-364da2661108)
https://hackerone.com/reports/2293343(af854a3a-2127-422b-91ae-364da2661108)
https://www.vicarius.io/vsociety/posts/critical-gitlab-account-takeover-vulnerability-cve-2023-7028(af854a3a-2127-422b-91ae-364da2661108)
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-7028(134c704f-9b21-4f2e-91b3-4a467353bcc0)
IOC Correlations
No correlations recorded
This product uses data from the NVD API but is not endorsed or certified by the NVD.