Critical CVE-2022-1162 flaw in GitLab allowed threat actors to take over accounts

GitLab has addressed a critical vulnerability, tracked as CVE-2022-1162 (CVSS score of 9.1), that could allow remote attackers to take over user accounts.

The CVE-2022-1162 vulnerability is related to the set of hardcoded static passwords during OmniAuth-based registration in GitLab CE/EE.

“A hardcoded password was set for accounts registered using an OmniAuth provider (e.g. OAuth, LDAP, SAML) in GitLab CE/EE versions 14.7 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allowing attackers to potentially take over accounts. This is a critical severity issue” reads the advisory published by GitLab. “We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.”

The bug was addressed with the latest release of versions 14.9.2, 14.8.5, and 14.7.7 for GitLab Community Edition (CE) and Enterprise Edition (EE). The company also announced the password reset of an unspecified number of users as a precautionary measure.

“We executed a reset of GitLab.com passwords for a selected set of users as of 15:38 UTC. Our investigation shows no indication that users or accounts have been compromised but we’re taking precautionary measures for our users’ security.” continues the advisory.

GitLab is not aware of accounts compromised by exploiting this vulnerability.

The company has developed a script that can be used to identify user accounts potentially impacted by CVE-2022-1162.

Upon finding potentially affected user accounts, admins have to reset the users’ passwords.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, CVE-2022-1162)

[adrotate banner=”5″]

[adrotate banner=”13″]