Security News > 2022 > April > Critical GitLab vulnerability lets attackers take over accounts

Critical GitLab vulnerability lets attackers take over accounts
2022-04-01 14:52

GitLab has addressed a critical severity vulnerability that could allow remote attackers to take over user accounts using hardcoded passwords.

The bug affects both GitLab Community Edition and Enterprise Edition.

This flaw results from static passwords accidentally set during OmniAuth-based registration in GitLab CE/EE. "A hardcoded password was set for accounts registered using an OmniAuth provider in GitLab CE/EE versions 14.7 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allowing attackers to potentially take over accounts," the GitLab team explained in a security advisory published on Thursday.

GitLab urged users to immediately upgrade all GitLab installations to the latest versions to block potential attacks.

"We executed a reset of GitLab.com passwords for a selected set of users as of 15:38 UTC," the GitLab team said.

Over 100,000 organizations use its DevOps platform, according to GitLab, and the company estimates it has more than 30 million estimated registered users from 66 countries worldwide.


News URL

https://www.bleepingcomputer.com/news/security/critical-gitlab-vulnerability-lets-attackers-take-over-accounts/

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Gitlab 10 47 736 246 58 1087