In the corrective updates of the platform for organizing the joint development of Gitlab 14.7.7, 14.8.5 and 14.9.2 Eliminated Critical Vulnerability ( CVE- 2022-1162 ) associated with installing predefined (hardcoded) passwords for accounts registered using the provider Omniauth (Oauth , LDAP and SAML). Vulnerability potentially allows the attacking access to the account. All users are recommended to urgently install the update. Details The problem is not revealed yet. For users whose account recordings have been subject to the problem, it is initiated by resetting installed passwords. The problem has been identified by Gitlab employees and the investigation conducted did not reveal the traces of compromising users.
In the new versions, another 16 vulnerabilities are also eliminated, of which 2 are marked as dangerous, 9 – moderate and 5 non-hazardous. Among the dangerous problems – the ability to substitute HTML-code (XSS) in Notes (CVE-2022-1175) and comments / descriptions in ISSUE (CVE-2022-1190).