GitLab, in a security advisory today, revealed a critical vulnerability infested in both Community Edition (CE) and Enterprise Edition (EE), through which hackers can remotely take over user accounts.

It’s about the leakage of hardcoded passwords that were formed when users register through OmniAuth providers. Since they’re turning such accounts vulnerable, GitLab issued a patch and urged users to update their clients immediately. Also, as a precautionary measure, it had reset the accounts credentials of selected users.

Password Vulnerability in GitLab Suite

Hardcoded passwords, which are embedded into a source code without being encrypted, are always vulnerable to hacks. Since they’re easily exposed, concerned platform makers should always look for such instances and coverup. And GitLab did just now.

As per a security advisory, it reported today, GitLab said a critical vulnerability tracked as CVE-2022-1162 affects its GitLab Community Edition (CE) and Enterprise Edition (EE), versions 14.7 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 before 14.9.2.

This issue resulted from static passwords accidentally set during OmniAuth-based registration (like OAuth, LDAP, SAML) in GitLab CE/EE, resulting in exposure of passwords, ultimately letting hackers takeover accounts remotely.

Thus, GitLab released a patch for all the vulnerable versions of GitLab Community Edition and Enterprise Edition (14.9.2, 14.8.5, or 14.7.7) and urged users to immediately update the latest version.

Assuring that no accounts have been hijacked yet, GitLab reset a selected number of user accounts as a precautionary measure. And if you are a GitLab user unsure about your account being safe, you can use a GitLab-made script for self-managed instance admins to check.

Over 100,000 organizations are using GitLab’s DevOps platform, while it has over 30 million estimated registered users from 66 countries worldwide, says the company’s website.


Please enter your comment!
Please enter your name here