GitLab releases security patch to make account takeover easier • The Register

GitLab on Thursday released security updates for three versions of GitLab Community Edition (CE) and Enterprise Edition (EE) software that fixes, among other flaws, a critical hard-coded password bug.

The cloud-hosted software version control service has released versions 14.9.2, 14.8.5, and 14.7.7 of its self-hosted CE and EE software, patching a “critical” security vulnerability (CVE-2022-1162), along with two rated “high”, nine rated “medium”, and four rated “low”.

“A hard-coded password has been set for accounts registered using a OmniAuth provider (e.g. OAuth, LDAP, SAML) in GitLab CE/EE versions 14.7 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allowing attackers to potentially take control of accounts,” said society in his opinion.

It emerges from modified files the password.rb module generated a fake strong password for testing by concatenating “123qweQWE!@#” with a number of “0”s equal to the difference of User.password_length.maxuser-defined, and DEFAULT_LENGTHhardcoded with the value 12.

So if an organization has configured their own instance of GitLab to accept passwords of up to 21 characters, it looks like an account takeover attack on that GitLab installation could use the default password “123qweQWE! @#000000000” to access accounts created via OmniAuth.

The bug, with a CVSS score of 9.1, was found internally by GitLab and the fix has already been applied to the company’s hosted service, in conjunction with a limited password reset.

“We performed a GitLab.com password reset for a select set of users beginning at 3:38 PM UTC [Thursday]”, states the security advisory. “Our investigation shows no indication that users or accounts have been compromised, but we are taking precautionary measures for the security of our users.

GitLab has also released a script – with a “at your own risk” warning – to automatically reset user passwords in self-managed GitLab instances.

Other notable fixes for the advisory include a stored XSS vulnerability (CVE-2022-1175) resulting from incorrect sanitization of entries in the notes. This allowed an attacker to exploit cross-site scripting by injecting HTML.

Additionally, there is CVE-2022-1190, which allows a stored XSS attack by placing code in multi-word step references in issue descriptions, comments, etc.

These last two CVEs are both classified as high severity, with CVSS scores of 8.7. While medium and low severity bugs aren’t as much of a concern, GitLab wants everyone to update regardless.

“We strongly recommend that all GitLab installations be immediately upgraded to one of these releases,” the GitLab advisory reads.

GitLab complaints have 30 million registered users and one million active license users, with more than 100,000 organizations using the company’s software. ®