Tech

Critical Vulnerability: Gitlab update out of order

by
Critical Vulnerability: Gitlab update out of order

With the out-of-order emergency update, Gitlab developers are patching a number of security holes, one of which could allow attackers to take over user accounts, a critical leak. Gitlab creators advise administrators and users to quickly download and install updated versions. For the Software-as-a-Service (SaaS) offering with Project Hosting, Project has also reset all passwords as a security measure.

The new versions close a total of 17 vulnerabilities, of which the developers classify one as critical risk, two as high risk, nine as medium risk and five as low risk. Errors can be found in both the Community edition and the Enterprise edition.

multiple vulnerability

The most serious vulnerability occurred when using OmniAuth registration, that is, with a type of single sign-on system based on OAuth, LDAP or SAML. Accounts created in this way were assigned a hard-coded password to allow attackers to take over the account (CVE-2022-1162, CVSS) 9.1risk Fragile,

So on gitlab.com, i.e. the SaaS version, project supervisors reset the passwords of selected accounts as a security measure. Upon investigation, they found no evidence that the loophole had already been misused.

In addition, attackers may have injected HTML code into Notes using so-called stored cross-site scripting due to insufficient filtering of user input (CVE-2022-1175, CVSS). 8.7, High) Similar vulnerability was found in multi-word references to milestones in issue descriptions, comments, etc. (CVE-2022-1190, CVSS 8.7, High,

Updated Components

New versions of CommonMarker, Devise, go-proxyproto, Grafana, MatterMost, Python, and Swagger are also aimed at closing the security gap. GitLab Release Notes Also list details of other security updates and a single non-security update.

READ  Android update: Motorola and Samsung distribute Android 11, Google Android successor

with new versions 14.7.7, 14.8.5 And 14.9.2 Gitlab developers fix security gaps. On gitlab.com’s SaaS offering, the servers are already up to date with new software. Administrators can find ready-made containers and source code with instructions and notes gitlab update page, To prevent attackers from exploiting critical security gaps and other vulnerabilities, IT managers should install updates promptly. In the past, administrators were very hesitant to do so.


(DMK)

on home page

0
Laurence Porter
Written By
More from Laurence Porter
FORSPOKEN: 10-minute gameplay trailer gives comprehensive insight into Athiya’s world
Square Enix and Luminous Productions today released the 10-minute gameplay trailer for...
Read More

You may also like

Snapdragon 6: Qualcomm Chip Makes Cheap Smartphones Better
Snapdragon 6: Qualcomm Chip Makes Cheap Smartphones Better
Samsung Galaxy Z Fold2 and S20 FE benchmarked with Snapdragon 865
Samsung Galaxy Z Fold2 and S20 FE benchmarked with Snapdragon 865
Spectacular Images From Mars: "Wow, Another Surprise!"
Spectacular Images From Mars: “Wow, Another Surprise!”
Leave a comment

Your email address will not be published. Required fields are marked *