ClickySkip to main content
Need help with a cyber incident now?
Call 24/7: +31 88-2747800

Gitlab vulnerabilities

This live blog contains information regarding Gitlab vulnerabilities. As soon as we have an update, we’ll add it to this post. More information about possible risks and details can be found at the bottom of this blog. Last updated on April 2, 2022.

Update April 2, 2022

12:00 | On March 31st, Gitlab has released their monthly security update. This security update solves one critical vulnerability, identified as CVE-2022-1162. This vulnerability describes hardcoded passwords set for user accounts registered using an OmniAuth provider.

It is advised to apply this security patch as soon as possible. Additionally, it is advised to reset the password of impacted user accounts. Gitlab has released a script to identify potentially impacted user accounts.

Are my systems vulnerable?

The following versions of Gitlab Community Edition and Enterprise Edition are vulnerable:

  • 14.7 prior to 14.7.7
  • 14.8 prior to 14.8.5
  • 14.9 prior to 14.9.2

What can I do to reduce or stop potential damage?

Gitlab has released security updates mitigating this and several other vulnerabilities. It is strongly advised to upgrade as soon as possible to one of the following versions:

  • 14.7.7
  • 14.8.5
  • 14.9.2

Additionally, it is advised to reset the password for potentially impacted user accounts. Gitlab has released a script to identify those user accounts.

Reason and background of this blog

This blog contains information about vulnerabilities, the possible risk and advice on how to prevent or limit damage. Below are the possible risks, details and background information.

Potential risk

The use of hardcoded passwords may allow attackers to take over user accounts configured with those hardcoded passwords.

Vulnerability information

The monthly security update fixes multiple vulnerabilities. The most severe one, which is the subject of this advisory, is CVE-2022-1162. This vulnerability describes hardcoded passwords set for user accounts registered using the OmniAuth provider (e.g. OAuth, LDAP, SAML) in GitLab Community Edition and Enterprise Edition. The CVE has a CVSS score of 9.1. The CVSS scale runs from 0 to 10.

Background

Subscribe

Do you want to be informed in time? Sign up for our technical updates

Would you like to receive these critical vulnerabilities by e-mail from now on? Enter your e-mail address below.

Tesorion uses your personal data to send out requested information and possibly for contact by telephone and for marketing and sales purposes. You can change your preferences whenever you want. Read our privacy policy for more information.