module
GitLab Password Reset Account Takeover
| Disclosed | Created |
|---|---|
| 2024-01-11 | 2024-03-07 |
Disclosed
2024-01-11
Created
2024-03-07
Description
This module exploits an account-take-over vulnerability that allows users
to take control of a gitlab account without user interaction.
The vulnerability lies in the password reset functionality. Its possible to provide 2 emails
and the reset code will be sent to both. It is therefore possible to provide the e-mail
address of the target account as well as that of one we control, and to reset the password.
2-factor authentication prevents this vulnerability from being exploitable. There is no
discernable difference between a vulnerable and non-vulnerable server response.
Vulnerable versions include:
16.1
16.2
16.3
16.4
16.5
16.6
and 16.7
to take control of a gitlab account without user interaction.
The vulnerability lies in the password reset functionality. Its possible to provide 2 emails
and the reset code will be sent to both. It is therefore possible to provide the e-mail
address of the target account as well as that of one we control, and to reset the password.
2-factor authentication prevents this vulnerability from being exploitable. There is no
discernable difference between a vulnerable and non-vulnerable server response.
Vulnerable versions include:
16.1
16.2
16.3
16.4
16.5
16.6
and 16.7
Authors
h00die
asterion04
asterion04
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.