cbcvebase.
CVE-2022-1162
published 2022-04-04

CVE-2022-1162: A hardcoded password was set for accounts registered using an OmniAuth provider (e.g. OAuth, LDAP, SAML) in GitLab CE/EE versions 14.7 prior to 14.7.7, 14.8…

PriorityP278critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
76.18%
99.5th percentile
A hardcoded password was set for accounts registered using an OmniAuth provider (e.g. OAuth, LDAP, SAML) in GitLab CE/EE versions 14.7 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allowing attackers to potentially take over accounts

Affected

9 ranges
VendorProductVersion rangeFixed in
debiangitlab< gitlab 15.10.8+ds1-2 (sid)gitlab 15.10.8+ds1-2 (sid)
gitlabgitlab
gitlabgitlab
gitlabgitlab
gitlabgitlab
gitlabgitlab>= 14.7.0 < 14.7.714.7.7
gitlabgitlab>= 14.8.0 < 14.8.514.8.5
gitlabgitlab>= 14.9.0 < 14.9.214.9.2
gitlabgitlab_ce

Detection & IOCsextracted from sources · hover to see the quote

other123qweQWE!@#000000000
path/users/sign_in
snort
alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Gitlab Login Attempt with hard-coded password (CVE-2022-1162)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/users/sign_in"; http.request_body; content:"&user%5Bpassword%5D=123qweQWE%21%40%23"; fast_pattern; pcre:"/^0+(?:&|$)/R"; reference:url,about.gitlab.com/releases/2022/03/31/critical-security-release-gitlab-14-9-2-released/#static-passwords-inadvertently-set-during-omniauth-based-registration; reference:cve,2022-1162; classtype:attempted-user; sid:2035750; rev:1; metadata:attack_target Server, created_at 2022_04_05, cve CVE_2022_1162, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2022_04_05, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
bytes
&user%5Bpassword%5D=123qweQWE%21%40%23
  • Detect exploitation attempts by monitoring HTTP POST requests to /users/sign_in containing the URL-encoded hardcoded password string &user%5Bpassword%5D=123qweQWE%21%40%23 in the request body.
  • Passively fingerprint vulnerable GitLab versions by matching unique SHA-256 hashes of the application-.css file returned in unauthenticated GET requests to /users/sign_in. Six specific hashes correspond to affected versions (14.7 < 14.7.7, 14.8 < 14.8.5, 14.9 < 14.9.2).
  • Use the regex pattern (?:application-)(\S{64})(?:\.css) against HTTP responses to extract the CSS asset hash for version fingerprinting of vulnerable GitLab instances.
  • Use Shodan queries 'http.title:"GitLab"' or 'cpe:"cpe:2.3:a:gitlab:gitlab"' to discover internet-exposed GitLab instances for proactive scanning.
  • ·The Nuclei template performs passive detection only; positive CSS hash matches do not confirm exploitability, only that the instance is a potentially vulnerable version.
  • ·The hardcoded password only applies to accounts registered via OmniAuth providers (OAuth, LDAP, SAML) on affected versions; native GitLab accounts are not affected.
  • ·The Snort/ET rule requires SSL decryption to be effective against HTTPS GitLab deployments, as indicated by the deployment metadata tag SSLDecrypt.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.1CRITICAL
vendor_redhat5.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.