Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
9.8
CVSSv3

CVE-2022-1162

Published: 04/04/2022 Updated: 27/04/2022
CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10
CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9
VMScore: 668
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
Subscribe to Gitlab

Vulnerability Summary

A hardcoded password was set for accounts registered using an OmniAuth provider (e.g. OAuth, LDAP, SAML) in GitLab CE/EE versions 14.7 before 14.7.7, 14.8 before 14.8.5, and 14.9 before 14.9.2 allowing malicious users to potentially take over accounts

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

gitlab gitlab

Exploits

Exploit DB: Gitlab 14.9 Authentication Bypass
Gitlab versions 149 prior to 1492, 148 prior to 1485, and 147 prior to 1477 suffer from a bypass vulnerability due to having set a hardcoded password for accounts registered using an OmniAuth provider ...

Github Repositories

https://github.com/Greenwolf/CVE-2022-1162

CVE-2022-1162 A hardcoded password was set for accounts registered using an OmniAuth provider (eg OAuth, LDAP, SAML) in GitLab CE/EE versions 147 prior to 1477, 148 prior to 1485, and 149 prior to 1492 allowing attackers to potentially take over accounts Exploit: New Gitlab Accounts (created since the first affect version and if Gitlab is before the patched version)

https://github.com/toowoxx/gitlab-password-reset-script

A ruby on rails script for GitLab to reset password of users

gitlab-password-reset-script A ruby on rails script for GitLab to reset password of users The scripts in here are inspired by the script provided by GitLab: aboutgitlabcom/releases/2022/03/31/critical-security-release-gitlab-14-9-2-released/#script-to-identify-users-potentially-impacted-by-cve-2022-1162 To run a script, place it in /tmp/ and run it Example: sudo gitl

https://github.com/ipsBruno/CVE-2022-1162

A simple tool to enumerate users in gitlab

CVE-2022-1162 A GitLab TakeOver Tool A simple tool to enumerate users in gitlab and login using CVE-2022-1162 Google Dork intitle:"Sign in · GitLab" Cmd python codepy urlcom Pull Requests are Welcome!

Recent Articles

GitLab issues critical update after hard-coding passwords into accounts
The Register • Thomas Claburn in San Francisco • 01 Jan 1970

Get our weekly newsletter Fixed passphrases for OmniAuth users not such a great idea

GitLab on Thursday issued security updates for three versions of GitLab Community Edition (CE) and Enterprise Edition (EE) software that address, among other flaws, a critical hard-coded password bug. The cloud-hosted software version control service released versions 14.9.2, 14.8.5, and 14.7.7 of its self-hosted CE and EE software, fixing one "critical" security vulnerability (CVE-2022-1162), as well as two rated "high," nine rated "medium," and four rated "low." "A hard-coded password was set ...

Read more...

References

CWE-798https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-1162.jsonhttps://gitlab.com/gitlab-org/gitlab/-/issues/357210http://packetstormsecurity.com/files/166828/Gitlab-14.9-Authentication-Bypass.htmlhttps://nvd.nist.govhttps://github.com/Greenwolf/CVE-2022-1162https://github.com/toowoxx/gitlab-password-reset-scripthttps://www.theregister.co.uk/2022/04/01/gitlab_security_advisory/
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-27977IMAPlocal usersCVE-2024-32038CVE-2023-49963CVE-2023-22869CVE-2024-31497localCVE-2024-2961
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook