Security News > 2022 > April > Critical GitLab vulnerability lets attackers take over accounts
GitLab has addressed a critical severity vulnerability that could allow remote attackers to take over user accounts using hardcoded passwords.
The bug affects both GitLab Community Edition and Enterprise Edition.
This flaw results from static passwords accidentally set during OmniAuth-based registration in GitLab CE/EE. "A hardcoded password was set for accounts registered using an OmniAuth provider in GitLab CE/EE versions 14.7 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allowing attackers to potentially take over accounts," the GitLab team explained in a security advisory published on Thursday.
GitLab urged users to immediately upgrade all GitLab installations to the latest versions to block potential attacks.
"We executed a reset of GitLab.com passwords for a selected set of users as of 15:38 UTC," the GitLab team said.
Over 100,000 organizations use its DevOps platform, according to GitLab, and the company estimates it has more than 30 million estimated registered users from 66 countries worldwide.
News URL
Related news
- GitLab Releases Patch for Critical CI/CD Pipeline Vulnerability and 13 Others (source)
- Critical Git vulnerability allows RCE when cloning repositories with submodules (CVE-2024-32002) (source)
- Microsoft Issues Patches for 51 Flaws, Including Critical MSMQ Vulnerability (source)
- VMware fixes critical vCenter RCE vulnerability, patch now (source)
- Critical RCE Vulnerability Discovered in Ollama AI Infrastructure Tool (source)
- Critical SQLi Vulnerability Found in Fortra FileCatalyst Workflow Application (source)
- Critical GitLab bug lets attackers run pipelines as any user (source)