← back
CVE-2022-1162

CVE-2022-1162

CVSS 9.1 CRITICALEPSS 76.2%
A hardcoded password was set for accounts registered using an OmniAuth provider (e.g. OAuth, LDAP, SAML) in GitLab CE/EE versions 14.7 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allowing attackers to potentially take over accounts
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Affected products
GitLab · GitLab
public PoCs found4
githubgithub.com/Greenwolf/CVE-2022-11624githubgithub.com/ipsBruno/CVE-2022-11622cve_referencepacketstormsecurity.com/files/166828/Gitlab-14.9-Authentication-Bypass.htmlunverifiedexploitdbwww.exploit-db.com/exploits/50888unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
http://packetstormsecurity.com/files/166828/Gitlab-14.9-Authentication-Bypass.htmlhttps://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-1162.jsonhttps://gitlab.com/gitlab-org/gitlab/-/issues/357210