Use of Hard-coded Credentials Affecting gitlab package, versions <15.10.8+ds1-2
Threat Intelligence
Exploit Maturity
Mature
EPSS
34.64% (98th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-DEBIANUNSTABLE-GITLAB-2606946
- published 11 Apr 2022
- disclosed 4 Apr 2022
Introduced: 4 Apr 2022
CVE-2022-1162 Open this link in a new tabHow to fix?
Upgrade Debian:unstable gitlab to version 15.10.8+ds1-2 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream gitlab package and not the gitlab package as distributed by Debian.
See How to fix? for Debian:unstable relevant fixed versions and status.
A hardcoded password was set for accounts registered using an OmniAuth provider (e.g. OAuth, LDAP, SAML) in GitLab CE/EE versions 14.7 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allowing attackers to potentially take over accounts
References
- https://security-tracker.debian.org/tracker/CVE-2022-1162
- http://packetstormsecurity.com/files/166828/Gitlab-14.9-Authentication-Bypass.html
- https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-1162.json
- https://gitlab.com/gitlab-org/gitlab/-/issues/357210
- https://www.exploit-db.com/exploits/50888
- https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2022/CVE-2022-1162.yaml
CVSS Scores
version 3.1