CVE-2022-1162

EUVD-2022-24504
A hardcoded password was set for accounts registered using an OmniAuth provider (e.g. OAuth, LDAP, SAML) in GitLab CE/EE versions 14.7 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allowing attackers to potentially take over accounts
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9.1 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
GitLabCNA
9.1 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 99%
Affected Products (NVD)
VendorProductVersion
gitlabgitlab
14.7.0 ≤
𝑥
< 14.7.7
gitlabgitlab
14.7.0 ≤
𝑥
< 14.7.7
gitlabgitlab
14.8.0 ≤
𝑥
< 14.8.5
gitlabgitlab
14.8.0 ≤
𝑥
< 14.8.5
gitlabgitlab
14.9.0 ≤
𝑥
< 14.9.2
gitlabgitlab
14.9.0 ≤
𝑥
< 14.9.2
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
gitlab
sid
16.8.4-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
gitlab
trusty
ignored
xenial
ignored
Common Weakness Enumeration
References
http://packetstormsecurity.com/files/166828/Gitlab-14.9-Authentication-Bypass.html
https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-1162.json
https://gitlab.com/gitlab-org/gitlab/-/issues/357210
http://packetstormsecurity.com/files/166828/Gitlab-14.9-Authentication-Bypass.html
https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-1162.json
https://gitlab.com/gitlab-org/gitlab/-/issues/357210