With the out-of-order emergency update, Gitlab developers are patching a number of security holes, one of which could allow attackers to take over user accounts, a critical leak. Gitlab creators advise administrators and users to quickly download and install updated versions. For the Software-as-a-Service (SaaS) offering with Project Hosting, Project has also reset all passwords as a security measure.
The new versions close a total of 17 vulnerabilities, of which the developers classify one as critical risk, two as high risk, nine as medium risk and five as low risk. Errors can be found in both the Community edition and the Enterprise edition.
multiple vulnerability
The most serious vulnerability occurred when using OmniAuth registration, that is, with a type of single sign-on system based on OAuth, LDAP or SAML. Accounts created in this way were assigned a hard-coded password to allow attackers to take over the account (CVE-2022-1162, CVSS) 9.1risk Fragile,
So on gitlab.com, i.e. the SaaS version, project supervisors reset the passwords of selected accounts as a security measure. Upon investigation, they found no evidence that the loophole had already been misused.
In addition, attackers may have injected HTML code into Notes using so-called stored cross-site scripting due to insufficient filtering of user input (CVE-2022-1175, CVSS). 8.7, High) Similar vulnerability was found in multi-word references to milestones in issue descriptions, comments, etc. (CVE-2022-1190, CVSS 8.7, High,
Updated Components
New versions of CommonMarker, Devise, go-proxyproto, Grafana, MatterMost, Python, and Swagger are also aimed at closing the security gap. GitLab Release Notes Also list details of other security updates and a single non-security update.
with new versions 14.7.7, 14.8.5 And 14.9.2 Gitlab developers fix security gaps. On gitlab.com’s SaaS offering, the servers are already up to date with new software. Administrators can find ready-made containers and source code with instructions and notes gitlab update page, To prevent attackers from exploiting critical security gaps and other vulnerabilities, IT managers should install updates promptly. In the past, administrators were very hesitant to do so.
(DMK)
Internet fan. Alcohol expert. Beer ninja. Organizer. Certified tv specialist. Explorer. Social media nerd.