CVE-2022-1162
📋 TL;DR
This vulnerability allows attackers to take over user accounts in GitLab instances configured with OmniAuth providers (OAuth, LDAP, SAML). Attackers can exploit a hardcoded password to authenticate as any user registered through these external authentication providers. All GitLab CE/EE instances with affected versions and OmniAuth enabled are vulnerable.
💻 Affected Systems
- GitLab Community Edition
- GitLab Enterprise Edition
📦 What is this software?
Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of all user accounts registered via OmniAuth providers, allowing attackers to access sensitive repositories, pipelines, and administrative functions.
Likely Case
Targeted account takeover of specific users, leading to unauthorized access to source code, CI/CD pipelines, and sensitive project data.
If Mitigated
Limited impact with proper network segmentation and monitoring, but still represents a significant authentication bypass vulnerability.
🎯 Exploit Status
Exploitation requires knowledge of the hardcoded password and targeting users registered via OmniAuth. Public exploit code is available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 14.7.7, 14.8.5, 14.9.2
Vendor Advisory: https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-1162.json
Restart Required: Yes
Instructions:
1. Backup your GitLab instance. 2. Update to patched version: 14.7.7, 14.8.5, or 14.9.2. 3. Restart GitLab services. 4. Verify the update was successful.
🔧 Temporary Workarounds
Disable OmniAuth
linuxTemporarily disable external authentication providers until patching can be completed.
Edit /etc/gitlab/gitlab.rb and set 'gitlab_rails["omniauth_enabled"] = false'
Run 'gitlab-ctl reconfigure'
🧯 If You Can't Patch
- Implement strict network access controls to limit GitLab access to trusted IPs only
- Enable detailed authentication logging and monitor for suspicious login attempts
🔍 How to Verify
Check if Vulnerable:
Check GitLab version and OmniAuth configuration. If version is in affected range and OmniAuth is enabled, the instance is vulnerable.Check Version:
sudo gitlab-rake gitlab:env:info | grep 'Version:'Verify Fix Applied:
Verify GitLab version is 14.7.7, 14.8.5, or 14.9.2 or higher. Confirm OmniAuth functionality works correctly after update.📡 Detection & Monitoring
Log Indicators:
- Multiple failed login attempts followed by successful authentication with hardcoded password pattern
- Authentication events from unexpected IP addresses for OmniAuth users
Network Indicators:
- Authentication requests to OmniAuth endpoints with suspicious patterns
- Unusual traffic spikes to user authentication endpoints
SIEM Query:
source="gitlab" AND (event="login" OR event="authentication") AND (password="[hardcoded_pattern]" OR result="success" AND source_ip NOT IN [trusted_ips])🔗 References
- http://packetstormsecurity.com/files/166828/Gitlab-14.9-Authentication-Bypass.html
- https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-1162.json
- https://gitlab.com/gitlab-org/gitlab/-/issues/357210
- http://packetstormsecurity.com/files/166828/Gitlab-14.9-Authentication-Bypass.html
- https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-1162.json
- https://gitlab.com/gitlab-org/gitlab/-/issues/357210
