CVE-2022-1162

Name of the Vulnerable Software and Affected Versions GitLab CE/EE versions 14.7 prior to 14.7.7 GitLab CE/EE versions 14.8 prior to 14.8.5 GitLab CE/EE versions 14.9 prior to 14.9.2

Description A hardcoded password was set for accounts registered using an OmniAuth provider (e.g. OAuth, LDAP, SAML) in GitLab, allowing attackers to potentially take over accounts. The issue is related to the use of hardcoded passwords for accounts registered with OmniAuth providers.

Recommendations For GitLab CE/EE versions 14.7 prior to 14.7.7, update to version 14.7.7 or later. For GitLab CE/EE versions 14.8 prior to 14.8.5, update to version 14.8.5 or later. For GitLab CE/EE versions 14.9 prior to 14.9.2, update to version 14.9.2 or later. As a temporary workaround, consider restricting access to accounts registered with OmniAuth providers until the update is applied.