Critical Vulnerability: Gitlab update out of order

Critical Vulnerability: Gitlab update out of order

With the out-of-order emergency update, Gitlab developers are patching a number of security holes, one of which could allow attackers to take over user accounts, a critical leak. Gitlab creators advise administrators and users to quickly download and install updated versions. For the Software-as-a-Service (SaaS) offering with Project Hosting, Project has also reset all passwords as a security measure.

The new versions close a total of 17 vulnerabilities, of which the developers classify one as critical risk, two as high risk, nine as medium risk and five as low risk. Errors can be found in both the Community edition and the Enterprise edition.

The most serious vulnerability occurred when using OmniAuth registration, that is, with a type of single sign-on system based on OAuth, LDAP or SAML. Accounts created in this way were assigned a hard-coded password to allow attackers to take over the account (CVE-2022-1162, CVSS) 9.1risk Fragile,

So on gitlab.com, i.e. the SaaS version, project supervisors reset the passwords of selected accounts as a security measure. Upon investigation, they found no evidence that the loophole had already been misused.

In addition, attackers may have injected HTML code into Notes using so-called stored cross-site scripting due to insufficient filtering of user input (CVE-2022-1175, CVSS). 8.7, High) Similar vulnerability was found in multi-word references to milestones in issue descriptions, comments, etc. (CVE-2022-1190, CVSS 8.7, High,

New versions of CommonMarker, Devise, go-proxyproto, Grafana, MatterMost, Python, and Swagger are also aimed at closing the security gap. GitLab Release Notes Also list details of other security updates and a single non-security update.

READ  FritzOS Labs 7.39: New FritzBox update fixes WLAN channels and filter lists

with new versions 14.7.7, 14.8.5 And 14.9.2 Gitlab developers fix security gaps. On gitlab.com’s SaaS offering, the servers are already up to date with new software. Administrators can find ready-made containers and source code with instructions and notes gitlab update page, To prevent attackers from exploiting critical security gaps and other vulnerabilities, IT managers should install updates promptly. In the past, administrators were very hesitant to do so.


(DMK)

on home page

More from Laurence Porter
But no restriction for those who refuse to update
Good news for all WhatsApp users who do not yet agree to...
Read More
Leave a comment

Your email address will not be published. Required fields are marked *