GitLab scrambles to release emergency fix after password snafu

By Scott Marlette Last updated Apr 4, 2022

GitLab Community Edition (CE) and GitLab Enterprise Edition (EE) have been patched to fix a major flaw regarding hard-coded passwords, the company has revealed.

In an advisory that accompanied the fix, GitLab explained how the flaw gave potential attackers the ability to completely take over vulnerable endpoints.

The vulnerability revolves around how the software generates a fake strong password for testing. There are three elements: User.password_length.max, a user-set maximum character number for a password, DEFAULT_LENGTH, which is hard-coded at 12 characters, and the fake strong password for testing – “123qweQWE!@#”.

The difference between the first two factors is filled with zeros.

High severity vulnerabilities

So, for example, if a user were to set a maximum number of characters for a password at 21, the software would combine “123qweQWE!@#” with a number of zeros to reach that maximum. In this particular example, it would be “123qweQWE!@#000000000”, and that password would grant access to all accounts created with OmniAuth.

The bug is tracked as CVE-2022-1162, and was given a severity score of 9.1.

It was discovered, and patched, by the GitLab team, and allegedly, wasn’t abused in the wild – with the company saying that no user identities have been stolen so far.

“We executed a reset of GitLab.com passwords for a selected set of users as of 15:38 UTC [Thursday],” the advisory reads. “Our investigation shows no indication that users or accounts have been compromised but we’re taking precautionary measures for our users’ security.”

GitLab is a DevOps software that offers a one-stop-shop for developers looking to create, secure, and operate their software. The cloud-hosted software’s newest versions include 14.9.2, 14.8.5, and 14.7.7, and the developers are urging the users to apply the patches immediately.

In total, 12 flaws have been fixed with these patches, including a stored XSS vulnerability. According to company data, GitLab has a million active users.

Via: The Register

For all the latest Technology News Click Here

For the latest news and updates, follow us on Google News.

Read original article here

Denial of responsibility! TechNewsBoy.com is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – [email protected]. The content will be deleted within 24 hours.