Security News > 2022 > April > GitLab issues critical update after hard-coding passwords into accounts

GitLab issues critical update after hard-coding passwords into accounts
2022-04-01 19:21

GitLab on Thursday issued security updates for three versions of GitLab Community Edition and Enterprise Edition software that address, among other flaws, a critical hard-coded password bug.

"A hard-coded password was set for accounts registered using an OmniAuth provider in GitLab CE/EE versions 14.7 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allowing attackers to potentially take over accounts," the company said in its advisory.

The bug, with a 9.1 CVSS score, was found internally by GitLab and the fix has been applied to the company's hosted service already, in conjunction with a limited password reset.

GitLab has also released a script - with a "Use at your own risk" warning - to automatically reset user passwords in self-managed GitLab instances.

"We strongly recommend that all GitLab installations be upgraded to one of these versions immediately," the GitLab advisory says.

GitLab claims to have 30 million registered users and a million active license users, with more than 100,000 organizations using the firm's software.


News URL

https://go.theregister.com/feed/www.theregister.com/2022/04/01/gitlab_security_advisory/

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Gitlab 10 47 706 231 57 1041