GitLab Collaborative Development Platform 14.7.7, 14.8.5, and 14.9.2 corrective updates resolve a critical vulnerability (CVE-2022-1162) related to setting hardcoded passwords for accounts registered using the OmniAuth (OAuth) provider. , LDAP and SAML). The vulnerability potentially allows an attacker to gain access to an account. All users are advised to urgently install the update. The details of the problem have not yet been disclosed. A reset of set passwords has been initiated for users whose accounts were affected. The problem was identified by GitLab staff and the investigation did not reveal any traces of user compromise.
The new versions also fixed 16 more vulnerabilities, of which 2 are marked as dangerous, 9 are moderate and 5 are not dangerous. Dangerous issues include the ability to inline HTML code (XSS) in notes (CVE-2022-1175) and comments/descriptions in issue (CVE-2022-1190).
Source: opennet.ru