The bug (discovered internally and tracked as CVE-2022-1162) affects both GitLab Community Edition (CE) and Enterprise Edition (EE). The vulnerability is related to the fact that static passwords were accidentally set during OmniAuth-based registration in GitLab CE/EE.
«For accounts registered using the OmniAuth provider (for example, OAuth, LDAP, SAML) in GitLab CE/EE versions 14.7 to 14.7.7, 14.8 to 14.8.5 and 14.9 to 14.9.2, a hard-coded password was set, allowing attackers to potentially take over accounts“,— explained the GitLab team in a security bulletin published on Thursday.
GitLab urged users to immediately update all GitLab installations to the latest versions (14.9.2, 14.8.5 or 14.7.7) to block potential attacks.
“We strongly recommend that all installations working with vulnerable versions be updated to the latest version as soon as possible,” the company warned.
As part of the closure of the critical vulnerability, GitLab deleted the lib/gitlab/password.rb file, which was used to assign the embedded password in the TEST_DEFAULT constant.
GitLab has reset the passwords of some users GitLab.com so that the vulnerability CVE-2022-1162 cannot be used in the future. GitLab has not revealed any traces of compromising user credentials in this incident, but has not disclosed details of its investigation.
GitLab, as part of mitigating the consequences of this incident, posted a script that searches for user accounts exposed to the vulnerability CVE-2022-1162. If they are detected, developers are advised to reset account passwords.
According to GitLab, more than 100,000 organizations use the DevOps platform, and the company estimates that it has more than 30 million registered users from 66 countries around the world.