GitLab issues critical update after hard-coding passwords into accounts

2022-04-01 19:21

GitLab on Thursday issued security updates for three versions of GitLab Community Edition and Enterprise Edition software that address, among other flaws, a critical hard-coded password bug.

"A hard-coded password was set for accounts registered using an OmniAuth provider in GitLab CE/EE versions 14.7 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allowing attackers to potentially take over accounts," the company said in its advisory.

The bug, with a 9.1 CVSS score, was found internally by GitLab and the fix has been applied to the company's hosted service already, in conjunction with a limited password reset.

GitLab has also released a script - with a "Use at your own risk" warning - to automatically reset user passwords in self-managed GitLab instances.

"We strongly recommend that all GitLab installations be upgraded to one of these versions immediately," the GitLab advisory says.

GitLab claims to have 30 million registered users and a million active license users, with more than 100,000 organizations using the firm's software.

News URL

https://go.theregister.com/feed/www.theregister.com/2022/04/01/gitlab_security_advisory/

#critical #gitlab

Related vendor

VENDOR	LAST 12M	#/PRODUCTS	LOW	MEDIUM	HIGH	CRITICAL	TOTAL VULNS
Gitlab		10	88	762	105	12	967

News URL

Related news

Related vendor