CVE-2022-1162: Gitlab flaw allows remote attackers to take over user accounts

by do son ·

CVE-2022-1162
GitLab is an open-source project for a warehouse management system. It uses Git as a code management tool to access public or private projects through a web interface. On March 31, GitLab officially issued a security notice to fix a vulnerability (CVE-2022-1162) in the Community Edition (CE) and Enterprise Edition (EE), with a CVSS score of 9.1. This flaw is related to the set of hardcoded static passwords during OmniAuth-based registration in GitLab CE/EE. The company is not aware of accounts compromised by exploiting this vulnerability.
CVE-2022-1162

“A hardcoded password was set for accounts registered using an OmniAuth provider (e.g. OAuth, LDAP, SAML) in GitLab CE/EE versions 14.7 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allowing attackers to potentially take over accounts. This is a critical severity issue” the company said in an advisory. “We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.”

Affected version

  • Gitlab CE/EE 14.7 prior to 14.7.7
  • Gitlab CE/EE 14.8 prior to 14.8.5
  • Gitlab CE/EE 14.9 prior to 14.9.2

Unaffected version

  • Gitlab CE/EE 14.7.7
  • Gitlab CE/EE 14.8.5
  • Gitlab CE/EE 14.9.2

Solution

At present, GitLab has fixed the CVE-2022-1162 vulnerability in the latest version, please upgrade GitLab to the unaffected version as soon as possible. “We executed a reset of GitLab.com passwords for a selected set of users as of 15:38 UTC. Our investigation shows no indication that users or accounts have been compromised but we’re taking precautionary measures for our users’ security.” continues the advisory.

Tags: CVE-2022-1162gitlab