GitLab Issues a Patch for a Critical Vulnerability That Could Allow Attackers to Take Over Accounts

GitLab, a DevOps platform, has issued software upgrades to address a significant security flaw that, if exploited, may allow an adversary to gain control of accounts. The CVE-2022-1162 vulnerability has a CVSS score of 9.1 and was discovered internally by the GitLab team.

"A hardcoded password was set for accounts registered using an OmniAuth provider (e.g., OAuth, LDAP, SAML) in GitLab CE/EE versions 14.7 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2," according to a March 31 advisory from the company.

GitLab also indicated that it reset the passwords of an undefined number of users out of caution after addressing the bug in the most recent releases of GitLab Community Edition (CE) and Enterprise Edition (EE) versions 14.9.2, 14.8.5, and 14.7.7.

Image Courtesy: The Hacker News

"Our examination showed no evidence that users or accounts were compromised," the business claimed.

The company has also issued a script that self-managed instance managers can use to identify accounts that may be affected by CVE-2022-1162. Once the impacted accounts have been identified, a password reset is advised.

GitLab's security update also fixes two high-severity stored cross-site scripting (XSS) vulnerabilities (CVE-2022-1175 and CVE-2022-1190), nine medium-severity weaknesses, and five low-severity concerns.

Users with affected installations are strongly urged to upgrade to the most recent version as quickly as feasible, given the severity of some of the issues.