module
GitLab Password Reset Account Takeover
| Disclosed | Created |
|---|---|
| 01/11/2024 | 03/07/2024 |
Disclosed
01/11/2024
Created
03/07/2024
Description
This module exploits an account-take-over vulnerability that allows users
to take control of a gitlab account without user interaction.
The vulnerability lies in the password reset functionality. Its possible to provide 2 emails
and the reset code will be sent to both. It is therefore possible to provide the e-mail
address of the target account as well as that of one we control, and to reset the password.
2-factor authentication prevents this vulnerability from being exploitable. There is no
discernable difference between a vulnerable and non-vulnerable server response.
Vulnerable versions include:
16.1
16.2
16.3
16.4
16.5
16.6
and 16.7
to take control of a gitlab account without user interaction.
The vulnerability lies in the password reset functionality. Its possible to provide 2 emails
and the reset code will be sent to both. It is therefore possible to provide the e-mail
address of the target account as well as that of one we control, and to reset the password.
2-factor authentication prevents this vulnerability from being exploitable. There is no
discernable difference between a vulnerable and non-vulnerable server response.
Vulnerable versions include:
16.1
16.2
16.3
16.4
16.5
16.6
and 16.7
Authors
h00dieasterion04
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
msf > use auxiliary/admin/http/gitlab_password_reset_account_takeover
msf /(r) > show actions
...actions...
msf /(r) > set ACTION < action-name >
msf /(r) > show options
...show and set options...
msf /(r) > run
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.