GitLab issues critical update after hard-coding passwords into accounts
Fixed passphrases for OmniAuth users not such a great idea
GitLab on Thursday issued security updates for three versions of GitLab Community Edition (CE) and Enterprise Edition (EE) software that address, among other flaws, a critical hard-coded password bug.
The cloud-hosted software version control service released versions 14.9.2, 14.8.5, and 14.7.7 of its self-hosted CE and EE software, fixing one "critical" security vulnerability (CVE-2022-1162), as well as two rated "high," nine rated "medium," and four rated "low."
"A hard-coded password was set for accounts registered using an OmniAuth provider (e.g. OAuth, LDAP, SAML) in GitLab CE/EE versions 14.7 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allowing attackers to potentially take over accounts," the company said in its advisory.
It appears from the changed files the
password.rb module generated a fake strong password for testing by concatenating "123qweQWE!@#" with a number of "0"s equal to the difference of
User.password_length.max, which is user-set, and
DEFAULT_LENGTH, which hard-coded with the value 12.
So if an organization configured its own instance of GitLab to accept passwords of no more than 21 characters, it looks like that an account takeover attack on that GitLab installation could use the default password of "123qweQWE!@#000000000" to access accounts created via OmniAuth.
The bug, with a 9.1 CVSS score, was found internally by GitLab and the fix has been applied to the company's hosted service already, in conjunction with a limited password reset.
"We executed a reset of GitLab.com passwords for a selected set of users as of 15:38 UTC [Thursday]," the security advisory says. "Our investigation shows no indication that users or accounts have been compromised but we’re taking precautionary measures for our users’ security."
- Want a piece of GitLab? It's going to cost you: IPO price per share settles at $77
- GitHub CEO forks off: Nat Friedman to quit this month, replacement will report to exec behind .NET Hot Reload fiasco
- GitHub puts prebuilt Codespaces into public beta
- GitLab all set to go public as revenues – and losses – rise
GitLab has also released a script – with a "use at your own risk" warning – to automatically reset user passwords in self-managed GitLab instances.
Other noteworthy fixes for the advisory include a stored XSS vulnerability (CVE-2022-1175) arising from improper input sanitation in notes. This allowed an attacker to exploit cross-site scripting by injecting HTML.
Also, there's CVE-2022-1190, which enables a stored XSS attack by putting code in multi-word milestone references in issue descriptions, comments, and so on.
These last two CVEs are both rated high severity, with CVSS scores of 8.7. While the medium and low severity bugs may not as worrisome, GitLab is keen to have everyone update regardless.
"We strongly recommend that all GitLab installations be upgraded to one of these versions immediately," the GitLab advisory says.
GitLab claims to have 30 million registered users and a million active license users, with more than 100,000 organizations using the firm's software. ®