[GTALUG] Maximum-severity GitLab flaw allowing account hijacking under active exploitation
Ron / BCLUG
admin at bclug.ca
Thu May 2 20:33:21 EDT 2024
Scott Allen wrote on 2024-05-02 15:39:
>> Make sure you're patched if you run GitLab!
>>
> What is meant by "patched"? I use FIDO security key based 2FA for my
> GitLab account login. Is there something else I need to do?
If you administer a GitLab instance, it looks like you ought to apply a
patch from January.
If you merely have an account, MFA / 2FA will prevent someone from
taking over your account, but you may be susceptible to someone else
generating password resets on your behalf.
Which would amount to merely an inconvenience.
rb
More information about the talk
mailing list