On 11 January 2024, GitLab published an alert concerning critical vulnerabilities in its Community Edition (CE) and Enterprise Edition (EE). CVE-2023-7028, considered to be the most critical, allows an attacker, by sending a specifically forged request to the Rest API, to reset user passwords and log into their account.
Even though MFA prevents an attacker from being able to log into one’s account, it does not stop them from changing the password.
