GitLab recently issued software upgrades to address a significant security flaw that, if exploited, could’ve allowed an attacker to take control of users’ accounts. The vulnerability, identified as CVE-2022-1162, has a CVSS score of 9.1 and was found internally by the GitLab team.
GitLab is a DevOps platform that allows QA, Development, Product, Security, and Operations teams to collaborate on the same project at all phases of the DevOps process. GitLab is trusted by over 100,000 companies ranging from startups to big enterprises, like NASDAQ, Dish Network, Jaguar Land Rover, Comcast, and Ticketmaster.
“A hardcoded password was set for accounts registered using an OmniAuth provider (e.g., OAuth, LDAP, SAML) in GitLab CE/EE versions 14.7 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allowing attackers to potentially take over accounts,” the company said in an advisory published on March 31.”Our investigation shows no indication that users or accounts have been compromised,” it added.
To address the bug, Versions 14.9.2, 14.8.5, and 14.7.7 for GitLab Community Edition (CE) and Enterprise Edition (EE) were released. In addition, the company has released a script that operators of self-managed instances can utilize to identify accounts that may be affected by CVE-2022-1162. A password reset has been recommended once the impacted accounts have been identified. Furthermore, as part of the security update, the company has also addressed two high-severity stored cross-site scripting (XSS) bugs (CVE-2022-1175 and CVE-2022-1190), as well as nine medium-severity weaknesses and five low-severity concerns.
As the issues are critical, users with impacted installations are strongly encouraged to upgrade to the newest version as soon as possible.