CVE-2022-1162
Expert Analysis
Professional remediation guidance
Get tailored security recommendations from our analyst team for CVE-2022-1162. We'll provide specific mitigation strategies based on your environment and risk profile.
CVSS Score
V3.1EPSS Score
v2025.03.14There is a 89.8% chance that this vulnerability will be exploited in the wild within the next 30 days.
Attack Vector Metrics
Impact Metrics
Description
A hardcoded password was set for accounts registered using an OmniAuth provider (e.g. OAuth, LDAP, SAML) in GitLab CE/EE versions 14.7 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allowing attackers to potentially take over accounts
Available Exploits
GitLab CE/EE - Hard-Coded Credentials
GitLab CE/EE contains a hard-coded credentials vulnerability. A hardcoded password was set for accounts registered using an OmniAuth provider (e.g. OAuth, LDAP, SAML), allowing attackers to potentially take over accounts. This template attempts to passively identify vulnerable versions of GitLab without the need for an exploit by matching unique hashes for the application-<hash>.css file in the header for unauthenticated requests. Positive matches do not guarantee exploitability. Affected versions are 14.7 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2.
References:
- https://gitlab.com/gitlab-com/gl-security/threatmanagement/redteam/redteam-public/cve-hash-harvester
- https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-1162.json
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1162
- http://packetstormsecurity.com/files/166828/Gitlab-14.9-Authentication-Bypass.html
- https://nvd.nist.gov/vuln/detail/cve-2022-1162
Related News
Affected Products
Affected Versions:
GitHub Security Advisories
Community-driven vulnerability intelligence from GitHub
Advisory Details
CVSS Scoring
CVSS Score
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References
Advisory provided by GitHub Security Advisory Database. Published: April 5, 2022, Modified: April 12, 2022