CVE-2022-1162 A hardcoded password was set for accounts registered using an OmniAuth provider (e.g

CVE-2022-1162 A hardcoded password was set for accounts registered using an OmniAuth provider (e.g

allowing attackers to potentially take over accounts A hardcoded password was set for SSH keys in GitLab EE/CE versions prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allowing attackers to potentially take over keys

GitLab.com Vulnerable API Endpoints

GitLab's API access is included in its free platform package. The company boasts a huge user base of over 14 million developers, who use the software to build apps like those found on Google Play and iTunes.

The flaw allowed attackers to potentially take over an account by simply knowing the password for the key. GitLab has since patched the vulnerability and published a list of affected versions and their respective release dates.

Though GitLab is mostly used as an open source repository that gives users full control over custom-made applications, it also offers paid services with features such as project hosting and billing support.

Other versions and platforms

Sensors were misconfigured on the GitLab instance in version 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allowing attackers to gain control of a session by hijacking an account

CVE-2023-1163 allowing users to view the password of other users Users with special permissions can view the passwords of other users in the LDAP server.


How to Outsource SEO Correctly & Avoid the 5 Most Common Mistakes

GitLab (CVE-2022) - Hardcoded SSH Keys

GitLab is a software used for software development which is written in Go and has its own package manager called GPM. GitLab EE/CE versions prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allow attackers with access to the same network as the GitLab instance to take over SSH keys stored in GitLab’s database by hardcoding a password in the application configuration file, .gitlab-ci.yml . This means that an attacker would only need valid credentials to access your system if they were able to find their way into your network and gain access to this data or your server running GitLab on your behalf (e.g., through a vulnerability).

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe