What is the GitLab Takeover vulnerability?
Critical vulnerabilities have been found in GitLab Community & Enterprise Editions. The most severe vulnerability, permits accounts takeover through password reset to an unauthenticated email address. There are reports of this being exploited in the wild.
Which versions of GitLab are vulnerable?
- 16.1 to 16.1.5
- 16.2 to 16.2.8
- 16.3 to 16.3.6
- 16.4 to 16.4.4
- 16.5 to 16.5.5
- 16.6 to 16.6.3
- 16.7 to 16.7.1
How do I fix the GitLab vulnerability?
Update to the latest version, and as with any login make sure MFA is enabled on user accounts.