A hardcoded password was set for accounts registered using an OmniAuth provider (e.g. OAuth, LDAP, SAML) in GitLab CE/EE versions 14.7 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allowing attackers to potentially take over accounts
References
Link | Resource |
---|---|
http://packetstormsecurity.com/files/166828/Gitlab-14.9-Authentication-Bypass.html | Third Party Advisory VDB Entry |
https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-1162.json | Vendor Advisory |
https://gitlab.com/gitlab-org/gitlab/-/issues/357210 | Broken Link |
Configurations
Configuration 1 (hide)
|
History
27 Apr 2022, 20:35
Type | Values Removed | Values Added |
---|---|---|
References | (MISC) http://packetstormsecurity.com/files/166828/Gitlab-14.9-Authentication-Bypass.html - Third Party Advisory, VDB Entry |
26 Apr 2022, 17:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
11 Apr 2022, 19:48
Type | Values Removed | Values Added |
---|---|---|
References | (CONFIRM) https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-1162.json - Vendor Advisory | |
References | (MISC) https://gitlab.com/gitlab-org/gitlab/-/issues/357210 - Broken Link | |
CWE | CWE-798 | |
CVSS |
v2 : v3 : |
v2 : 7.5
v3 : 9.8 |
CPE | cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:* cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:* |
04 Apr 2022, 20:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2022-04-04 20:15
Updated : 2024-02-04 22:29
NVD link : CVE-2022-1162
Mitre link : CVE-2022-1162
CVE.ORG link : CVE-2022-1162
JSON object : View
Products Affected
gitlab
- gitlab
CWE
CWE-798
Use of Hard-coded Credentials