CVE-2022-1162: Gitlab flaw allows remote attackers to take over user accounts

by do son · April 3, 2022

GitLab is an open-source project for a warehouse management system. It uses Git as a code management tool to access public or private projects through a web interface. On March 31, GitLab officially issued a security notice to fix a vulnerability (CVE-2022-1162) in the Community Edition (CE) and Enterprise Edition (EE), with a CVSS score of 9.1. This flaw is related to the set of hardcoded static passwords during OmniAuth-based registration in GitLab CE/EE. The company is not aware of accounts compromised by exploiting this vulnerability.

“A hardcoded password was set for accounts registered using an OmniAuth provider (e.g. OAuth, LDAP, SAML) in GitLab CE/EE versions 14.7 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allowing attackers to potentially take over accounts. This is a critical severity issue” the company said in an advisory. “We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.”

Affected version

Gitlab CE/EE 14.7 prior to 14.7.7
Gitlab CE/EE 14.8 prior to 14.8.5
Gitlab CE/EE 14.9 prior to 14.9.2

Unaffected version

Gitlab CE/EE 14.7.7
Gitlab CE/EE 14.8.5
Gitlab CE/EE 14.9.2

Solution

At present, GitLab has fixed the CVE-2022-1162 vulnerability in the latest version, please upgrade GitLab to the unaffected version as soon as possible. “We executed a reset of GitLab.com passwords for a selected set of users as of 15:38 UTC. Our investigation shows no indication that users or accounts have been compromised but we’re taking precautionary measures for our users’ security.” continues the advisory.

CVE-2022-1162: Gitlab flaw allows remote attackers to take over user accounts

Search

Brilliantly

Content & Links