{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2022-024.pdf"
    },
    "title": "Critical Vulnerability in Gitlab",
    "serial_number": "2022-024",
    "publish_date": "04-04-2022 10:53:00",
    "description": "On 31/03/2022, GitLab released an advisory for a critical password security vulnerability in GitLab Community and Enterprise products tracked as CVE-2022-1162. Discovered by the internal team of Gitlab, this vulnerability allows remote attacker to taker over user accounts. GitLab is not aware of accounts compromised by exploiting this vulnerability.<br>Evaluated with a score of 9.1 out of 10, CERT-EU recommends to patch as soon as possible.",
    "url_title": "2022-024",
    "content_markdown": "---\ntitle: 'Critical Vulnerability in Gitlab'\nversion: '1.0'\nnumber: '2022-024'\ndate: 'April 4, 2022'\n---\n\n_History:_\n\n* _04/04/2022 --- v1.0 -- Initial publication_\n\n# Summary\n\nOn 31/03/2022, GitLab released an advisory for a critical password security vulnerability in GitLab Community and Enterprise products tracked as CVE-2022-1162. Discovered by the internal team of Gitlab, this vulnerability allows remote attacker to taker over user accounts. GitLab is not aware of accounts compromised by exploiting this vulnerability.\n\nEvaluated with a score of 9.1 out of 10, CERT-EU recommends to patch **as soon as possible** [1].\n\n# Technical Details\n\nA hardcoded password was set for accounts registered using an OmniAuth provider (e.g., OAuth, LDAP, SAML) in GitLab CE/EE versions 14.7 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allowing attackers to potentially take over accounts.\n\n# Affected Products\n\n- Versions 14.7 to 14.7.6\n- Versions 14.8 to 14.8.4\n- Versions 14.9 to 14.9.1\n\n# Recommendations \n\nIf you\u2019re running the affected versions of GitLab Community Edition/Enterprise Edition, it is highly recommended to upgrade the software to a patched version.\n\n|Affected version | Patched version |\n|-----------------|-----------------|\n| 14.7.0 to 14.7.6 | 14.7.7 |\n| 14.8.0 to 14.8.4 | 14.8.5 |\n| 14.9.0 to 14.9.1 | 14.9.2 | \n\nAdditionally, Gitlab developers created a script that can be used by self-managed instance admins to identify users potentially impacted by this vulnerability [2].\n\n# References \n\n[1] <https://about.gitlab.com/releases/2022/03/31/critical-security-release-gitlab-14-9-2-released/>\n\n[2] <https://about.gitlab.com/releases/2022/03/31/critical-security-release-gitlab-14-9-2-released/#script-to-identify-users-potentially-impacted-by-cve-2022-1162>",
    "content_html": "<p><em>History:</em></p><ul><li><em>04/04/2022 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>On 31/03/2022, GitLab released an advisory for a critical password security vulnerability in GitLab Community and Enterprise products tracked as CVE-2022-1162. Discovered by the internal team of Gitlab, this vulnerability allows remote attacker to taker over user accounts. GitLab is not aware of accounts compromised by exploiting this vulnerability.</p><p>Evaluated with a score of 9.1 out of 10, CERT-EU recommends to patch <strong>as soon as possible</strong> [1].</p><h2 id=\"technical-details\">Technical Details</h2><p>A hardcoded password was set for accounts registered using an OmniAuth provider (e.g., OAuth, LDAP, SAML) in GitLab CE/EE versions 14.7 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allowing attackers to potentially take over accounts.</p><h2 id=\"affected-products\">Affected Products</h2><ul><li>Versions 14.7 to 14.7.6</li><li>Versions 14.8 to 14.8.4</li><li>Versions 14.9 to 14.9.1</li></ul><h2 id=\"recommendations\">Recommendations</h2><p>If you\u2019re running the affected versions of GitLab Community Edition/Enterprise Edition, it is highly recommended to upgrade the software to a patched version.</p><table><thead><tr><th>Affected version</th><th>Patched version</th></tr></thead><tbody><tr><td>14.7.0 to 14.7.6</td><td>14.7.7</td></tr><tr><td>14.8.0 to 14.8.4</td><td>14.8.5</td></tr><tr><td>14.9.0 to 14.9.1</td><td>14.9.2</td></tr></tbody></table><p>Additionally, Gitlab developers created a script that can be used by self-managed instance admins to identify users potentially impacted by this vulnerability [2].</p><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://about.gitlab.com/releases/2022/03/31/critical-security-release-gitlab-14-9-2-released/\">https://about.gitlab.com/releases/2022/03/31/critical-security-release-gitlab-14-9-2-released/</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://about.gitlab.com/releases/2022/03/31/critical-security-release-gitlab-14-9-2-released/#script-to-identify-users-potentially-impacted-by-cve-2022-1162\">https://about.gitlab.com/releases/2022/03/31/critical-security-release-gitlab-14-9-2-released/#script-to-identify-users-potentially-impacted-by-cve-2022-1162</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}