GitLab published a security advisory on Thursday, saying "A hardcoded password was set for accounts registered using an OmniAuth provider (e.g. OAuth, LDAP, SAML) in GitLab CE/EE versions 14.7 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allowing attackers to potentially take over accounts. This is a critical severity issue."
The bug which can be tracked as CVE-2022-1162, is having a CVSS score of 9.1 out of 10, was discovered by GitLab internal team affects both GitLab Community Edition (CE) and Enterprise Edition (EE).
GitLab strongly recommends that all installations running an affected version should be upgraded to the latest version as soon as possible.
Gitlab says there is no indication that users or accounts have been compromised but for precautionary measures, they had reset the passwords of a limited number of GitLab.com users as part of the mitigation effort.
Along with this critical account takeover bug, GitLab has fixed below the following vulnerabilities -
"We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version."- GitLab added.