GitLab has fixed a critical security vulnerability in several versions of its platform that could allow an attacker to take over victims’ accounts, thanks to a hardcoded password.
The static password issue affected a number of versions of GitLab’s software and the company is warning customers to update their instances as soon as possible in order to protect against potential attacks.
“A hardcoded password was set for accounts registered using an OmniAuth provider (e.g. OAuth, LDAP, SAML) in GitLab CE/EE versions 14.7 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allowing attackers to potentially take over accounts. This is a critical severity issue,” Dominic Couture of GitLab said in a security advisory Thursday.
“We executed a reset of GitLab.com passwords for a selected set of users as of 15:38 UTC. Our investigation shows no indication that users or accounts have been compromised but we’re taking precautionary measures for our users’ security.”
GitLab has fixed the password issue in versions 14.9.2, 14.8.5, and 14.7.7.
In addition to the critical hardcoded password issue, the new releases also include fixes for a number of other security vulnerabilities. The two most-serious ones are a pair of cross-site scripting bugs, one in the notes function and the other on multi-word milestone references.
“Improper neutralization of user input in GitLab CE/EE versions 14.4 before 14.7.7, all versions starting from 14.8 before 14.8.5, all versions starting from 14.9 before 14.9.2 allowed an attacker to exploit XSS by injecting HTML in notes. This is a high severity issue,” the advisory says.
There was also an issue that could allow an attacker to steal a user’s authentication token and then reuse it on other websites.
“Improper authorization in GitLab Pages included with GitLab CE/EE affecting all versions from 11.5 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allowed an attacker to steal a user's access token on an attacker-controlled private GitLab Pages website and reuse that token on the victim's other private websites,” the advisory says.