Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-7028 PoC — GitLab 安全漏洞

Source
https://github.com/duy-31/CVE-2023-7028
Associated Vulnerability
Title:GitLab 安全漏洞 (CVE-2023-7028)
Description:GitLab是美国GitLab公司的一个开源的端到端软件开发平台,具有内置的版本控制、问题跟踪、代码审查、CI/CD(持续集成和持续交付)等功能。 GitLab 存在安全漏洞,该漏洞源于用户帐户密码重置电子邮件可能会发送到未经验证的电子邮件地址。
Description
An issue has been discovered in GitLab CE/EE affecting all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.3 prior to 16.3.7, 16.4 prior to 16.4.5, 16.5 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2 in which user account password reset emails could be delivered to an unverified email address.
Readme
# CVE-2023-7028
An issue has been discovered in GitLab CE/EE affecting all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.3 prior to 16.3.7, 16.4 prior to 16.4.5, 16.5 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2 in which user account password reset emails could be delivered to an unverified email address.

------
Poc tested on Kali 2023.3

- Install GitLab 16.7.0-ee in docker

#sudo docker pull gitlab/gitlab-ee:16.7.0-ee.0

#sudo docker run --detach --publish 8443:443 --publish 2222:22 --publish 8080:80 --name gitlab-container --restart always --volume $GITLAB_HOME/config:/etc/gitlab --volume $GITLAB_HOME/logs:/var/log/gitlab --volume $GITLAB_HOME/data:/var/opt/gitlab --shm-size 256m gitlab/gitlab-ee:16.7.0-ee.0

> be patient it take some times to start!

- setup smtp in the gitlab container
  https://docs.gitlab.com/omnibus/settings/smtp.html

- Log in gitlab

#sudo docker exec -it gitlab-container grep "Password:" /etc/gitlab/initial_root_password
Login/pass: root/result of grep above

http://my.docker.ip:8080/

- create an account by going to "Admin Area" and Users

![image](https://github.com/duy-31/CVE-2023-7028/assets/20819326/e7e685d1-19d8-4a6c-999b-0da4fb73f3ee)

![image](https://github.com/duy-31/CVE-2023-7028/assets/20819326/947950fe-240e-4c88-87db-bbd64beea0ba)


next create a user with a valid email account and validate your account

![image](https://github.com/duy-31/CVE-2023-7028/assets/20819326/c3918585-dcbf-41da-a424-2f0f2f0fd4f6)

![image](https://github.com/duy-31/CVE-2023-7028/assets/20819326/1cf453f1-1fa3-4ffb-a62b-1023d816dba2)

- run the poc

  ./cve-2023-7028.sh https://gitlab.site.com useremail@gitlab.site.com otheremail@otherdomain.com

- result an email is send to the original email adress AND the other email adress

  ![image](https://github.com/duy-31/CVE-2023-7028/assets/20819326/b7f2919f-3ec7-47d0-a8cd-a296747b5cda)


------

Workaround/Fix: https://about.gitlab.com/releases/2024/01/11/critical-security-release-gitlab-16-7-2-released/

------

more about me ;) https://www.linkedin.com/in/duy-huan-bui/

⚠️ Disclaimer: IMPORTANT: This script is provided for educational, ethical testing, and lawful use ONLY. Do not use it on any system or network without explicit permission. Unauthorized access to computer systems and networks is illegal, and users caught performing unauthorized activities are subject to legal actions. The author is NOT responsible for any damage caused by the misuse of this script.
File Snapshot

 [4.0K]  /data/pocs/58188879f300a0f7b9800774143285fafc8b01c1
├── [ 618]  cve-2023-7028.sh
└── [2.4K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.