GitLab scrambles to release emergency fix after password snafu
A high severity password flaw has been fixed, GitLab says
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
GitLab Community Edition (CE) and GitLab Enterprise Edition (EE) have been patched to fix a major flaw regarding hard-coded passwords, the company has revealed.
In an advisory that accompanied the fix, GitLab explained how the flaw gave potential attackers the ability to completely take over vulnerableendpoints.
The vulnerability revolves around how the software generates a fake strongpasswordfor testing. There are three elements: User.password_length.max, a user-set maximum character number for a password, DEFAULT_LENGTH, which is hard-coded at 12 characters, and the fake strong password for testing - “123qweQWE!@#”.
The difference between the first two factors is filled with zeros.
We’re looking at how our readers use VPNs with different devices so we can improve our content and offer better advice. This survey shouldn’t take more than 60 seconds of your time. Thank you for taking part.
Click here to start the survey in a new window«
High severity vulnerabilities
So, for example, if a user were to set a maximum number of characters for a password at 21, the software would combine “123qweQWE!@#” with a number of zeros to reach that maximum. In this particular example, it would be “123qweQWE!@#000000000”, and that password would grant access to all accounts created with OmniAuth.
The bug is tracked as CVE-2022-1162, and was given a severity score of 9.1.
It was discovered, and patched, by the GitLab team, and allegedly, wasn’t abused in the wild - with the company saying that no useridentitieshave been stolen so far.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
“We executed a reset of GitLab.com passwords for a selected set of users as of 15:38 UTC [Thursday],” the advisory reads. “Our investigation shows no indication that users or accounts have been compromised but we’re taking precautionary measures for our users’ security.”
Hybrid working could be a catastrophic mistake>When open source is done right, the sky’s the limit>Four ways going fully remote can benefit technology teams
GitLab is a DevOps software that offers a one-stop-shop for developers looking to create, secure, and operate their software. The cloud-hosted software’s newest versions include 14.9.2, 14.8.5, and 14.7.7, and the developers are urging the users to apply the patches immediately.
In total, 12 flaws have been fixed with these patches, including a stored XSS vulnerability. According to company data, GitLab has a million active users.
Via:The Register
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.
This new phishing strategy utilizes GitHub comments to distribute malware
Should your VPN always be on?
NYT Strands today — hints, answers and spangram for Sunday, November 10 (game #252)
