Cyber Security

GitLab addresses critical account hijack bug

GitLab has patched a critical vulnerability that meant static passwords were inadvertently set during OmniAuth-based registration – putting accounts at risk of malicious takeover.

The DevOps platform has also fixed a pair of high severity, stored cross-site scripting (XSS) bugs as part of its monthly security release for March. The same update also addresses nine medium severity and five low impact issues.

GitLab users have been urged to update their installations immediately to the latest versions, which are 14.9.2, 14.8.5, and 14.7.7 for both the Community Edition (CE) and Enterprise Edition (EE). GitLab.com is already running a patched version.

Critical credential issue

The critical flaw, which is tracked as CVE-2022-1162, saw hardcoded passwords set for accounts registered via OmniAuth providers.

Notching a CVSS score of 9.1, the vulnerability affects GitLab CE and EE 14.7 versions up to 14.7.7, 14.8 up to 14.8.5, and 14.9 up to 14.9.2.

After discovering the bug internally, GitLab “executed a reset of GitLab.com passwords for a selected set of users”, although it assured users that its investigation showed “no indication that users or accounts have been compromised”.

One of the stored XSS issues – CVE-2022-1175 – allowed attackers to inject HTML in notes because of “improper neutralization of user input”. The other XSS flaw (CVE-2022-1190), which was blamed on improper handling of user input, enabled abuse of multi-word milestone references in issue descriptions, comments, and similar.

Both XSS vulnerabilities notched a CVSS score of 8.7. Affected versions are 14.7.7 back to 14.4 for CVE-2022-1175 and back to 8.3 for CVE-2022-1190; and all 14.8 versions up to 14.8.5 plus all 14.9 versions up to 14.9.2 for both CVEs.

Credit for the finds is respectively due to ‘joaxcar’ and ‘ryhmnlfj’, hackers who reported the bugs through GitLab’s HackerOne bug bounty program

GitLab also flagged security updates to commonmarker, Mattermost, Swagger, go-proxyproto, and Devise that affect all versions of GitLab CE and EE editions.

A security release for Grafana, meanwhile, affects all versions of GitLab Omnibus, while a Python update affects all versions of GitLab Charts.

Source: https://portswigger.net/daily-swig/gitlab-addresses-critical-account-hijack-bug

Click to comment

You May Also Like

Cyber Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has given federal agencies three weeks to secure Adobe ColdFusion servers on their networks against two...

Cyber Security

Businesses and developers are focusing more on the security of applications in their digital environment as cyber threats and data breaches continue escalating. The...

Cyber Security

HCL BigFix is an endpoint management platform that has the capability to automate discovery, management, and remediation. It can find and fix vulnerabilities on...

Cyber Security

The Environmental Protection Agency cited a lack of resources and the sheer volume of critical vulnerabilities as the reasons for its inability to patch...

Copyright © 2023 Newsworthy News | Global | Political | Local | All News | Website By: Top Search SEO

Exit mobile version