GitLab, a DevOps platform, has issued software upgrades to resolve a significant security vulnerability. If exploited, the vulnerability might allow an adversary to take control of accounts. Furthermore, it may allow remote attackers to get access to user accounts using hardcoded passwords.
After understanding the severity of the problem, a few days ago Google also resolved a risky vulnerability in the Web application firewall.
According to GitLab, their DevOps platform is used by over 100,000 enterprises. The company believes that it has more than 30 million registered users from 66 countries around the world.
About the Bug
The vulnerability, identified as CVE-2022-1162, has a CVSS score of 9.1. It was found internally by the GitLab team. GitLab Community Edition (CE) and Enterprise Edition (EE) are both affected by the problem. When the account was created via an OmniAuth provider, a hardcoded password was set, according to the business. Prior to 14.7.7, 14.8.5, and 14.9.2, this defect was present in GitLab Community Edition and Enterprise Edition versions.
GitLab recommended customers to upgrade all GitLab installations to the most recent versions (14.9.2, 14.8.5, or 14.7.7) immediately in order to prevent any threats.
“We highly advise that all installations using a version affected by the concerns listed below be upgraded to the newest version as soon as possible,” they wrote.
GitLab erased the ‘lib/gitlab/password.rb’ file, according to a code commit sent two days ago. This file was used to assign a weak hardcoded password to a constant named ‘TEST DEFAULT.’
Password Reset Among GitLab Users
GitLab also stated that as part of the CVE-2022-1162 mitigation effort, it reset the passwords of a limited number of GitLab.com users. It also discovered no evidence that any accounts had been compromised as a result of attackers exploiting this hardcode password security weakness.
Administrators are urged to reset the passwords of potentially affected user accounts after detecting potentially affected user accounts.
So far, GitLab claims that no user accounts have been compromised. However, the business has developed a script that self-managed instance administrators can use to detect user accounts that may be affected by the flaw.
“As at 15:38 UTC, we reset GitLab.com passwords for a restricted group of users,” the GitLab staff announced. “Our investigation has revealed no evidence that users or accounts have been compromised. However, we are taking cautious precautions to ensure the safety of our users.”
GitLab was asked to reveal how many Gitlab.com users had their passwords reset. In response, a GitLab representative revealed the information already accessible in the advisory, assuring BleepingComputer that they only did so for “a restricted group of people.”
