A critical vulnerability, CVE-2023-7028, in GitLab CE/EE allows attackers to reset GitLab user account passwords without user interaction. CVE-2023-7028 impacts GitLab self-managed instances running GitLab Community Edition (CE) and Enterprise Edition (EE). While also vulnerable, users with two-factor authentication (2FA) enabled are safe from account takeover. The vulnerability was introduced in version 16.1.0 on May 1, 2023, and results from a bug in the email verification process. GitLab advised admins of self-managed instances to upgrade to patched versions (16.7.2, 16.6.4, 16.5.6) immediately and enable 2FA for all accounts, especially administrator accounts. The company has also fixed other vulnerabilities in the updated versions, including CVE-2023-5356, CVE-2023-4812, CVE-2023-6955 and CVE-2023-2030.
https://about.gitlab.com/releases/2024/01/11/critical-security-release-gitlab-16-7-2-released/