Articles Critical bug in GitLab allows you to take over...

Critical bug in GitLab allows you to take over other people’s accounts

-

GitLab has fixed a critical vulnerability that allowed remote attackers to gain access to user accounts using hard-coded passwords. CVE-2022-1162  affected both GitLab Community Edition (CE) and Enterprise Edition (EE).

The developers explain that static passwords were erroneously set during OmniAuth-based registration with GitLab CE/EE.

“Accounts registered using OmniAuth (e.g. OAuth, LDAP, SAML) in GitLab CE/EE versions 14.7 to 14.7.7, 14.8 to 14.8.5, and 14.9 to 14.9.2 have been set to a hardcoded password, in theory allowing attackers to take over accounts,” the GitLab team explains in a security bulletin.

The commit posted two days ago shows that GitLab removed the lib/gitlab/password.rb file that was used to assign a hardcoded password to the TEST_DEFAULT constant.

GitLab now encourages users to update all installations to the latest versions (14.9.2, 14.8.5, or 14.7.7) as soon as possible to guard against possible attacks. The developers also added that they have already reset the passwords of some GitLab.com users in an effort to mitigate the effects of CVE-2022-1162. At the same time, it is emphasized that so far no signs of compromise and exploitation of this bug by hackers have been found.

Although no attacks on the vulnerability have yet been recorded, the company has created a script that will allow administrators to find user accounts that are potentially vulnerable to CVE-2022-1162. If vulnerable accounts are found, administrators are advised to reset their passwords immediately.

Must read

28 dangerous extensions detected for Google Chrome and Microsoft Edge

Avast experts have discovered malware hidden in at least 28 third-party...

Critical Infrastructure Warning! Millions of PLCs, switches, IoT devices are under threat

Eleven vulnerabilities, combined under the name Urgent / 11,...

Why Is It Important To Have Intrusion Detection And Prevention ?

This article describes why detection and prevention of burglaries...

The risk is real: attacks on OT infrastructure

Previously, many believed that attacks on an isolated OT...

Gitpaste-12: Linux bot armed with a dozen exploits

Researchers at Juniper Networks have discovered a Linux scripting...

Saferwall : Open Source Malware Analysis

Saferwall is an open source malware analysis platform. It...

Network Vulnerability Assessment ? Why Should Every Company Do it at least once a Year !

Network vulnerability assessment analyzes a variety of network issues,...

Artificial Intelligence and Cyber Security

As artificial intelligence intrudes into the world of cybersecurity,...

You might also likeRELATED
Recommended to you