After fixing a critical account takeover vulnerability, the DevOps platform GitLab has reset the passwords of some user accounts.
According to the company, when an account was registered using an OmniAuth provider in GitLab Community Edition (CE) and Enterprise Edition (EE) versions prior to 14.7.7, 14.8.5, and 14.9.2, a hardcoded password was set.
CVE-2022-1162 (CVSS score of 9.1) is a critical-severity flaw that could allow attackers to take control of accounts.
GitLab also reset the passwords of users who it believes were affected by the bug, in addition to addressing the vulnerability.
“Our investigation has revealed no evidence that users or accounts have been compromised,” the company said. “However, we are taking precautionary measures to ensure the security of our users.”
GitLab has also released a script to help administrators identify accounts that may be vulnerable to CVE-2022-1162. All impacted accounts’ passwords should be reset.
This flaw, as well as two high-severity cross-site scripting (XSS) vulnerabilities, are addressed in the latest GitLab release.
The first of the bugs, CVE-2022-1175 (CVSS score of 8.7), exists due to improper neutralisation of user input in notes. An attacker could exploit the XSS by injecting HTML into notes.
The second high-severity flaw is CVE-2022-1190 (CVSS score of 8.7), which is caused by incorrect user input handling. An attacker could take advantage of the flaw by using multi-word milestone references in issue descriptions or comments.
These issues, as well as 14 other medium- and low-severity bugs, are addressed in GitLab CE/EE versions 14.9.2, 14.8.5, and 14.7.7. All users are advised to upgrade to a current release as soon as possible.
