After fixing a essential account takeover vulnerability, the DevOps platform GitLab has reset the passwords of some consumer accounts.
Based on the corporate, when an account was registered utilizing an OmniAuth supplier in GitLab Group Version (CE) and Enterprise Version (EE) variations previous to 14.7.7, 14.8.5, and 14.9.2, a hardcoded password was set.
CVE-2022-1162 (CVSS rating of 9.1) is a critical-severity flaw that might permit attackers to take management of accounts.
GitLab additionally reset the passwords of customers who it believes had been affected by the bug, along with addressing the vulnerability.
“Our investigation has revealed no proof that customers or accounts have been compromised,” the corporate stated. “Nonetheless, we’re taking precautionary measures to make sure the safety of our customers.”
GitLab has additionally launched a script to assist directors determine accounts which may be susceptible to CVE-2022-1162. All impacted accounts’ passwords must be reset.
This flaw, in addition to two high-severity cross-site scripting (XSS) vulnerabilities, are addressed within the newest GitLab launch.
The primary of the bugs, CVE-2022-1175 (CVSS rating of 8.7), exists as a consequence of improper neutralisation of consumer enter in notes. An attacker might exploit the XSS by injecting HTML into notes.
The second high-severity flaw is CVE-2022-1190 (CVSS rating of 8.7), which is brought on by incorrect consumer enter dealing with. An attacker might reap the benefits of the flaw through the use of multi-word milestone references in subject descriptions or feedback.
These points, in addition to 14 different medium- and low-severity bugs, are addressed in GitLab CE/EE variations 14.9.2, 14.8.5, and 14.7.7. All customers are suggested to improve to a present launch as quickly as potential.
