CVE-2022-1162
published 2022-04-04CVE-2022-1162: A hardcoded password was set for accounts registered using an OmniAuth provider (e.g. OAuth, LDAP, SAML) in GitLab CE/EE versions 14.7 prior to 14.7.7, 14.8…
PriorityP278critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
76.18%
99.5th percentile
A hardcoded password was set for accounts registered using an OmniAuth provider (e.g. OAuth, LDAP, SAML) in GitLab CE/EE versions 14.7 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allowing attackers to potentially take over accounts
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | gitlab | < gitlab 15.10.8+ds1-2 (sid) | gitlab 15.10.8+ds1-2 (sid) |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | >= 14.7.0 < 14.7.7 | 14.7.7 |
| gitlab | gitlab | >= 14.8.0 < 14.8.5 | 14.8.5 |
| gitlab | gitlab | >= 14.9.0 < 14.9.2 | 14.9.2 |
| gitlab | gitlab_ce | — | — |
Detection & IOCsextracted from sources · hover to see the quote
path/users/sign_in
snort
alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Gitlab Login Attempt with hard-coded password (CVE-2022-1162)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/users/sign_in"; http.request_body; content:"&user%5Bpassword%5D=123qweQWE%21%40%23"; fast_pattern; pcre:"/^0+(?:&|$)/R"; reference:url,about.gitlab.com/releases/2022/03/31/critical-security-release-gitlab-14-9-2-released/#static-passwords-inadvertently-set-during-omniauth-based-registration; reference:cve,2022-1162; classtype:attempted-user; sid:2035750; rev:1; metadata:attack_target Server, created_at 2022_04_05, cve CVE_2022_1162, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2022_04_05, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
bytes
&user%5Bpassword%5D=123qweQWE%21%40%23
- →Detect exploitation attempts by monitoring HTTP POST requests to /users/sign_in containing the URL-encoded hardcoded password string &user%5Bpassword%5D=123qweQWE%21%40%23 in the request body.
- →Passively fingerprint vulnerable GitLab versions by matching unique SHA-256 hashes of the application-.css file returned in unauthenticated GET requests to /users/sign_in. Six specific hashes correspond to affected versions (14.7 < 14.7.7, 14.8 < 14.8.5, 14.9 < 14.9.2).
- →Use the regex pattern (?:application-)(\S{64})(?:\.css) against HTTP responses to extract the CSS asset hash for version fingerprinting of vulnerable GitLab instances.
- →Use Shodan queries 'http.title:"GitLab"' or 'cpe:"cpe:2.3:a:gitlab:gitlab"' to discover internet-exposed GitLab instances for proactive scanning.
- ·The Nuclei template performs passive detection only; positive CSS hash matches do not confirm exploitability, only that the instance is a potentially vulnerable version.
- ·The hardcoded password only applies to accounts registered via OmniAuth providers (OAuth, LDAP, SAML) on affected versions; native GitLab accounts are not affected. ↗
- ·The Snort/ET rule requires SSL decryption to be effective against HTTPS GitLab deployments, as indicated by the deployment metadata tag SSLDecrypt.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.1CRITICAL
vendor_redhat5.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
kernel: mmc: jz4740: Apply DMA engine limits to maximum segment size
vendor_redhat·2025-02-26·CVSS 5.5
CVE-2022-49522 [MEDIUM] kernel: mmc: jz4740: Apply DMA engine limits to maximum segment size
kernel: mmc: jz4740: Apply DMA engine limits to maximum segment size
In the Linux kernel, the following vulnerability has been resolved:
mmc: jz4740: Apply DMA engine limits to maximum segment size
Do what is done in other DMA-enabled MMC host drivers (cf. host/mmci.c) and
limit the maximum segment size based on the DMA engine's capabilities. This
is needed to avoid warnings like the following with CONFIG_DMA_API_DEBUG=y.
------------[ cut here ]------------
WARNING: CPU: 0 PID: 21 at kernel/dma/debug.c:1162 debug_dma_map_sg+0x2f4/0x39c
DMA-API: jz4780-dma 13420000.dma-controller: mapping sg segment longer than device claims to support [len=98304] [max=65536]
CPU: 0 PID: 21 Comm: kworker/0:1H Not tainted 5.18.0-rc1 #19
Workqueue: kblockd blk_mq_run_work_fn
Stack : 81575aec 00000004 806200
GitLab
CVE-2022-1162: A hardcoded password was set for accounts registered using an OmniAuth provider (e.g. OAuth, LDAP, SAML) in GitLab CE/EE versions 14.7 prior to 14.7.7
vendor_gitlab·2022-04-04·CVSS 9.1
CVE-2022-1162 [CRITICAL] CWE-798 CVE-2022-1162: A hardcoded password was set for accounts registered using an OmniAuth provider (e.g. OAuth, LDAP, SAML) in GitLab CE/EE versions 14.7 prior to 14.7.7
CVE-2022-1162: A hardcoded password was set for accounts registered using an OmniAuth provider (e.g. OAuth, LDAP, SAML) in GitLab CE/EE versions 14.7 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allowing attackers to potentially take over accounts
Debian
CVE-2022-1162: gitlab - A hardcoded password was set for accounts registered using an OmniAuth provider ...
vendor_debian·2022·CVSS 9.1
CVE-2022-1162 [CRITICAL] CVE-2022-1162: gitlab - A hardcoded password was set for accounts registered using an OmniAuth provider ...
A hardcoded password was set for accounts registered using an OmniAuth provider (e.g. OAuth, LDAP, SAML) in GitLab CE/EE versions 14.7 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allowing attackers to potentially take over accounts
Scope: local
sid: resolved (fixed in 15.10.8+ds1-2)
GHSA
GHSA-vrqc-vwgr-qqp5: A hardcoded password was set for accounts registered using an OmniAuth provider (e
ghsa_unreviewed·2022-04-05
CVE-2022-1162 [CRITICAL] CWE-798 GHSA-vrqc-vwgr-qqp5: A hardcoded password was set for accounts registered using an OmniAuth provider (e
A hardcoded password was set for accounts registered using an OmniAuth provider (e.g. OAuth, LDAP, SAML) in GitLab CE/EE versions 14.7 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allowing attackers to potentially take over accounts
OSV
CVE-2022-1162: A hardcoded password was set for accounts registered using an OmniAuth provider (e
osv·2022-04-04·CVSS 9.8
CVE-2022-1162 [CRITICAL] CVE-2022-1162: A hardcoded password was set for accounts registered using an OmniAuth provider (e
A hardcoded password was set for accounts registered using an OmniAuth provider (e.g. OAuth, LDAP, SAML) in GitLab CE/EE versions 14.7 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allowing attackers to potentially take over accounts
Suricata
ET EXPLOIT Gitlab Login Attempt with hard-coded password (CVE-2022-1162)
suricata·2022-04-05·CVSS 9.1
CVE-2022-1162 [CRITICAL] ET EXPLOIT Gitlab Login Attempt with hard-coded password (CVE-2022-1162)
ET EXPLOIT Gitlab Login Attempt with hard-coded password (CVE-2022-1162)
Rule: alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Gitlab Login Attempt with hard-coded password (CVE-2022-1162)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/users/sign_in"; http.request_body; content:"&user%5Bpassword%5D=123qweQWE%21%40%23"; fast_pattern; pcre:"/^0+(?:&|$)/R"; reference:url,about.gitlab.com/releases/2022/03/31/critical-security-release-gitlab-14-9-2-released/#static-passwords-inadvertently-set-during-omniauth-based-registration; reference:cve,2022-1162; classtype:attempted-user; sid:2035750; rev:1; metadata:attack_target Server, created_at 2022_04_05, cve CVE_2022_1162, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signat
Suricata
ET EXPLOIT Gitlab Login Attempt with hard-coded password (CVE-2022-1162)
suricata·2022-04-05·CVSS 9.1
CVE-2022-1162 [CRITICAL] ET EXPLOIT Gitlab Login Attempt with hard-coded password (CVE-2022-1162)
ET EXPLOIT Gitlab Login Attempt with hard-coded password (CVE-2022-1162)
Rule: alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Gitlab Login Attempt with hard-coded password (CVE-2022-1162)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/users/sign_in"; http.request_body; content:"|26|user|5b|password|5d 3d|123qweQWE|21 40 23|"; fast_pattern; pcre:"/^0+(?:&|$)/R"; reference:url,about.gitlab.com/releases/2022/03/31/critical-security-release-gitlab-14-9-2-released/#static-passwords-inadvertently-set-during-omniauth-based-registration; reference:cve,2022-1162; classtype:attempted-user; sid:2035751; rev:1; metadata:attack_target Server, created_at 2022_04_05, cve CVE_2022_1162, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High
Exploit-DB
Gitlab 14.9 - Authentication Bypass
exploitdb·2022-04-26·CVSS 9.1
CVE-2022-1162 [CRITICAL] Gitlab 14.9 - Authentication Bypass
Gitlab 14.9 - Authentication Bypass
---
# Exploit Title: Gitlab 14.9 - Authentication Bypass
# Date: 12/04/2022
# Exploit Authors: Greenwolf
# Vendor Homepage: https://about.gitlab.com/
# Software Link: https://about.gitlab.com/install
# Version: GitLab CE/EE versions 14.7 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2
# Tested on: Linux
# CVE : CVE-2022-1162
# References: https://github.com/Greenwolf/CVE-2022-1162
A hardcoded password was set for accounts registered using an OmniAuth provider (e.g. OAuth, LDAP, SAML) in GitLab CE/EE versions 14.7 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allowing attackers to potentially take over accounts.
Exploit:
New Gitlab Accounts (created since the first affect version and if Gitlab is before the patched v
Nuclei
GitLab CE/EE - Hard-Coded Credentials
nuclei·CVSS 9.8
CVE-2022-1162 [CRITICAL] GitLab CE/EE - Hard-Coded Credentials
GitLab CE/EE - Hard-Coded Credentials
GitLab CE/EE contains a hard-coded credentials vulnerability. A hardcoded password was set for accounts registered using an OmniAuth provider (e.g. OAuth, LDAP, SAML), allowing attackers to potentially take over accounts. This template attempts to passively identify vulnerable versions of GitLab without the need for an exploit by matching unique hashes for the application-.css file in the header for unauthenticated requests. Positive matches do not guarantee exploitability. Affected versions are 14.7 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2.
Template:
id: CVE-2022-1162
info:
name: GitLab CE/EE - Hard-Coded Credentials
author: GitLab Red Team
severity: critical
description: GitLab CE/EE contains a hard-coded credentials vulner
Checkpoint
4th April – Threat Intelligence Report
blogs_checkpoint·2022-04-04
CVE-2022-22965 4th April – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 4th April – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 4th April, please download our Threat Intelligence Bulletin .
Top Attacks and Breaches
Check Point Research (CPR) revealed a large spike in attacks committed by advanced persistent threat groups (APTs) around the world, using lures utilizing the war between Russia and Ukraine. Most of the attacks started with spear-phishing emails that contained documents with malicious macros dropping malware such as Loki.Rat ba
Bugzilla
CVE-2022-49522 kernel: mmc: jz4740: Apply DMA engine limits to maximum segment size
bugzilla·2025-02-26·CVSS 5.5
CVE-2022-49522 [MEDIUM] CVE-2022-49522 kernel: mmc: jz4740: Apply DMA engine limits to maximum segment size
CVE-2022-49522 kernel: mmc: jz4740: Apply DMA engine limits to maximum segment size
In the Linux kernel, the following vulnerability has been resolved:
mmc: jz4740: Apply DMA engine limits to maximum segment size
Do what is done in other DMA-enabled MMC host drivers (cf. host/mmci.c) and
limit the maximum segment size based on the DMA engine's capabilities. This
is needed to avoid warnings like the following with CONFIG_DMA_API_DEBUG=y.
------------[ cut here ]------------
WARNING: CPU: 0 PID: 21 at kernel/dma/debug.c:1162 debug_dma_map_sg+0x2f4/0x39c
DMA-API: jz4780-dma 13420000.dma-controller: mapping sg segment longer than device claims to support [len=98304] [max=65536]
CPU: 0 PID: 21 Comm: kworker/0:1H Not tainted 5.18.0-rc1 #19
Workqueue: kblockd blk_mq_run_work_fn
Stack : 81575a
http://packetstormsecurity.com/files/166828/Gitlab-14.9-Authentication-Bypass.htmlhttps://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-1162.jsonhttps://gitlab.com/gitlab-org/gitlab/-/issues/357210http://packetstormsecurity.com/files/166828/Gitlab-14.9-Authentication-Bypass.htmlhttps://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-1162.jsonhttps://gitlab.com/gitlab-org/gitlab/-/issues/357210
2022-04-04
Published