GitLab has issued a security update to address a Critical vulnerability CVE-2022-1162 where static passwords were inadvertently set during OmniAuth-based registration.
“A hardcoded password was set for accounts registered using an OmniAuth provider (e.g. OAuth, LDAP, SAML) in GitLab CE/EE versions 14.7 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allowing attackers to potentially take over accounts,” GitLab warned in the advisory.
The vulnerability CVE-2022-1162 is rated Critical severity (CVSS score 9.1).
The GitLab team performed a reset of GitLab.com passwords for a selected set of users and provided an update on the impact.
“Our investigation shows no indication that users or accounts have been compromised but we’re taking precautionary measures for our users’ security,” GitLab added.
Moreover, GitLab also addresses two High severity vulnerabilities, to include Stored XSS in notes (CVSS 8.7), Stored XSS on Multi-word milestone reference (CVSS 8.7), as well as multiple other Medium severity issues.