GitLab has patched a critical vulnerability that meant static passwords were inadvertently set during OmniAuth-based registration – putting accounts at risk of malicious takeover.
The DevOps platform has also fixed a pair of high severity, stored cross-site scripting (XSS) bugs as part of its monthly security release for March. The same update also addresses nine medium severity and five low impact issues.
GitLab users have been urged to update their installations immediately to the latest versions, which are 14.9.2, 14.8.5, and 14.7.7 for both the Community Edition (CE) and Enterprise Edition (EE). GitLab.com is already running a patched version.
Critical credential issue
The critical flaw, which is tracked as CVE-2022-1162, saw hardcoded passwords set for accounts registered via OmniAuth providers.
Notching a CVSS score of 9.1, the vulnerability affects GitLab CE and EE 14.7 versions up to 14.7.7, 14.8 up to 14.8.5, and 14.9 up to 14.9.2.
After discovering the bug internally, GitLab “executed a reset of GitLab.com passwords for a selected set of users”, although it assured users that its investigation showed “no indication that users or accounts have been compromised”.
One of the stored XSS issues – CVE-2022-1175 – allowed attackers to inject HTML in notes because of “improper neutralization of user input”. The other XSS flaw (CVE-2022-1190), which was blamed on improper handling of user input, enabled abuse of multi-word milestone references in issue descriptions, comments, and similar.
Both XSS vulnerabilities notched a CVSS score of 8.7. Affected versions are 14.7.7 back to 14.4 for CVE-2022-1175 and back to 8.3 for CVE-2022-1190; and all 14.8 versions up to 14.8.5 plus all 14.9 versions up to 14.9.2 for both CVEs.
Credit for the finds is respectively due to ‘joaxcar’ and ‘ryhmnlfj’, hackers who reported the bugs through GitLab’s HackerOne bug bounty program
GitLab also flagged security updates to commonmarker, Mattermost, Swagger, go-proxyproto, and Devise that affect all versions of GitLab CE and EE editions.
A security release for Grafana, meanwhile, affects all versions of GitLab Omnibus, while a Python update affects all versions of GitLab Charts.
Source: https://portswigger.net/daily-swig/gitlab-addresses-critical-account-hijack-bug
