GitLab Patches Critical Account Takeover Vulnerability

Source
Advertisement


According to the company, in GitLab Community Edition (CE) and Enterprise Edition (EE) versions prior to 14.7.7, 14.8.5, and 14.9.2, a hardcoded password was set when the account was registered using an OmniAuth provider.

The critical-severity bug, which is tracked as CVE-2022-1162 (CVSS score of 9.1), could allow attackers to take over accounts.

In addition to addressing the vulnerability, GitLab reset the passwords for users who it believes might have been impacted by the bug.

Advertisement