Security News > 2022 > April > Critical GitLab vulnerability lets attackers take over accounts
GitLab has addressed a critical severity vulnerability that could allow remote attackers to take over user accounts using hardcoded passwords.
The bug affects both GitLab Community Edition and Enterprise Edition.
This flaw results from static passwords accidentally set during OmniAuth-based registration in GitLab CE/EE. "A hardcoded password was set for accounts registered using an OmniAuth provider in GitLab CE/EE versions 14.7 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allowing attackers to potentially take over accounts," the GitLab team explained in a security advisory published on Thursday.
GitLab urged users to immediately upgrade all GitLab installations to the latest versions to block potential attacks.
"We executed a reset of GitLab.com passwords for a selected set of users as of 15:38 UTC," the GitLab team said.
Over 100,000 organizations use its DevOps platform, according to GitLab, and the company estimates it has more than 30 million estimated registered users from 66 countries worldwide.
News URL
Related news
- Microsoft Patches Critical Azure AI Face Service Vulnerability with CVSS 9.9 Score (source)
- Elastic Releases Urgent Fix for Critical Kibana Vulnerability Enabling Remote Code Execution (source)
- Moxa Issues Fix for Critical Authentication Bypass Vulnerability in PT Switches (source)
- Critical PHP RCE vulnerability mass exploited in new attacks (source)
- GitLab patches critical authentication bypass vulnerabilities (source)
- New Critical AMI BMC Vulnerability Enables Remote Server Takeover and Bricking (source)
- IBM scores perfect 10 ... vulnerability in mission-critical OS AIX (source)
- Critical Veeam Backup & Replication RCE vulnerability fixed, patch ASAP! (CVE-2025-23120) (source)
- Infoseccers criticize Veeam over critical RCE vulnerability and a failing blacklist (source)
- Critical Next.js Vulnerability Allows Attackers to Bypass Middleware Authorization Checks (source)