BIPI is a Chennai-based engineering company that operates the control layer for modern digital infrastructure. We design and run cybersecurity defence, agentic AI systems, digital engineering, growth automation, and continuous compliance as one platform, so organisations can detect signals, decide in real time, and deliver continuously.

What cybersecurity services does BIPI offer?

Web, mobile, network, and API penetration testing (VAPT), red team engagements, cloud security architecture, Zero Trust deployments, 24/7 SOC operations, and detection engineering. We work with financial services, SaaS, and regulated mid-market companies across India, APAC, EMEA, and North America.

What AI services does BIPI build?

Custom AI agents, LLM integrations, autonomous decision systems, and AI Ops intelligence layers. Our agents are scoped, observable, and audited end-to-end. We do not ship demos. We ship production agents that take real action across your existing systems.

Which compliance frameworks does BIPI support?

ISO 27001:2022, SOC 2 Type II, PCI DSS, GDPR, and India's DPDPA. We treat compliance as an engineering program, not a paper exercise: continuous evidence generation, exception tracking, and 72-hour breach-readiness.

BIPI Private Limited is headquartered in Chennai, Tamil Nadu, India, and serves clients across APAC, EMEA, and North America.

How do I contact BIPI?

Email info@bipi.in for new engagements or careers@bipi.in for jobs. You can also use the contact form at bipi.in/contact. We respond within one business day.

BIPI

GitLab CVE-2023-7028: The Password Reset Flaw That Took Over CI/CD

Cybersecurity

A logic error in GitLab's password reset flow sent tokens to attacker-controlled email addresses, enabling full account takeover without user interaction on self-hosted instances.

By Arjun Raghavan, Security & Systems Lead, BIPI · November 3, 2024 · 8 min read

#zero-day#cve-2023-7028#gitlab#account-takeover#ci/cd-security

CVE-2023-7028 is a critical authentication vulnerability in GitLab Community Edition and Enterprise Edition. The flaw allows an unauthenticated attacker to trigger a password reset for any account and have the reset token sent to an arbitrary email address under attacker control. No user interaction is required. The CVSS 3.1 base score is 10.0.

The Logic Error Explained

GitLab's password reset endpoint accepts an array of email addresses instead of a single string. When multiple addresses are supplied, the application sends the reset token to all of them. An attacker provides both the victim's registered email and their own email in the array field of the reset request. GitLab delivers the reset token to both addresses, giving the attacker a valid token to set a new password and fully take over the account.

Affected Versions

GitLab CE/EE 16.1 through 16.1.5 (patched in 16.1.6)
GitLab CE/EE 16.2 through 16.2.8 (patched in 16.2.9)
GitLab CE/EE 16.3 through 16.3.6 (patched in 16.3.7)
GitLab CE/EE 16.4 through 16.4.4 (patched in 16.4.5)
GitLab CE/EE 16.5 through 16.5.5 (patched in 16.5.6)
GitLab CE/EE 16.6 through 16.6.3 (patched in 16.6.4)
GitLab CE/EE 16.7.0 through 16.7.1 (patched in 16.7.2)

undefined

Mass Exploitation Timeline

November 2023: GitLab identifies vulnerability during internal audit
January 11, 2024: GitLab releases patched versions with advisory
January 12, 2024: PoC code published within 24 hours of advisory
January 17, 2024: CISA adds to KEV catalog with 3-week federal remediation SLA
February 2024: Shadowserver reports thousands of unpatched instances actively targeted

Because self-hosted GitLab instances rarely auto-update, a significant portion of the estimated 30,000-plus self-hosted installations remained vulnerable weeks after the patch was available.

Why CI/CD Compromise Is Catastrophic

Gaining control of a GitLab account with maintainer or owner privileges over active repositories allows an attacker to modify CI/CD pipeline definitions, inject malicious build steps, exfiltrate secrets stored in CI/CD variables, and push backdoored code to production. The blast radius extends far beyond the compromised account itself, touching every downstream artifact and deployment.

Inject malicious stages into .gitlab-ci.yml to steal build-time secrets
Exfiltrate masked CI/CD variables via curl to attacker infrastructure
Modify protected branch settings to push unreviewed commits to main
Create deploy keys or access tokens for persistent access
Tamper with container image build steps for supply chain compromise

Detection: What to Look For

Check GitLab application logs (production.log) for POST requests to /users/password where the email parameter appears as an array structure rather than a plain string. Also audit the audit_json.log for password reset events followed immediately by login events from previously unseen IP addresses, particularly outside business hours.

Remediation Steps

Update to patched version immediately; consult the version matrix above
Review all GitLab accounts for unexpected password reset events in audit logs
Rotate all CI/CD variables, deploy keys, and personal access tokens
Enable mandatory MFA for all accounts, especially maintainers and owners
Review recent pipeline changes for unauthorized modification
Consider GitLab's Dependency Scanning to detect any injected supply chain artifacts

Structural Fixes: Defense Beyond Patching

Enforce MFA organization-wide at the GitLab instance level
Require approval workflows for changes to pipeline definitions
Store sensitive secrets in a dedicated vault rather than GitLab CI variables
Set up anomaly alerting on admin and password reset events via webhook

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.