Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2022-1162Hard-coded Credentials in Gitlab

CWE-798Hard-coded Credentials10 documents9 sources
Severity
9.8CRITICALNVD
EPSS
88.9%
top 0.47%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
3
GitlabDebian GitlabGitlab CE
Timeline
PublishedApr 4
Latest updateFeb 26

Description

A hardcoded password was set for accounts registered using an OmniAuth provider (e.g. OAuth, LDAP, SAML) in GitLab CE/EE versions 14.7 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allowing attackers to potentially take over accounts

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages5 packages

NVDgitlab/gitlab14.7.014.7.7+2
debiandebian/gitlab< gitlab 15.10.8+ds1-2 (sid)
CVEListV5gitlab/gitlab>=14.7, <14.7.7, >=14.8, <14.8.5, >=14.9, <14.9.2+2
gitlabgitlab/gitlab

🔴Vulnerability Details

2
GHSA
GHSA-vrqc-vwgr-qqp5: A hardcoded password was set for accounts registered using an OmniAuth provider (e2022-04-05
OSV
CVE-2022-1162: A hardcoded password was set for accounts registered using an OmniAuth provider (e2022-04-04

💥Exploits & PoCs

2
Exploit-DB
Gitlab 14.9 - Authentication Bypass2022-04-26
Nuclei
GitLab CE/EE - Hard-Coded Credentials

🔍Detection Rules

2
Suricata
ET EXPLOIT Gitlab Login Attempt with hard-coded password (CVE-2022-1162)2022-04-05
Suricata
ET EXPLOIT Gitlab Login Attempt with hard-coded password (CVE-2022-1162)2022-04-05

📋Vendor Advisories

3
Red Hat
kernel: mmc: jz4740: Apply DMA engine limits to maximum segment size2025-02-26
GitLab
CVE-2022-1162: A hardcoded password was set for accounts registered using an OmniAuth provider (e.g. OAuth, LDAP, SAML) in GitLab CE/EE versions 14.7 prior to 14.7.72022-04-04
Debian
CVE-2022-1162: gitlab - A hardcoded password was set for accounts registered using an OmniAuth provider ...2022