GitLab releases a security update to address a critical account takeover flaw

GitLab has released a major security update to address eight vulnerabilities in its Community and Enterprise Edition products, one of which allows for account takeover. GitLab is a web-based Git repository designed for development teams who need to manage their code from a distance. It has 30 million registered users and 1 million paying clients.

Taking control of a GitLab account has serious ramifications, as hackers may get access to developers’ projects and steal source code.
The issue affects all GitLab versions 11.10 through 14.9.4, 14.10 through 14.10.3, and version 15.0, and is tracked as CVE-2022-1680 with a critical severity level of 9.9.

The issue can be exploited on instances with a specific configuration, according to the business advice, and the possibility for misuse is minimized by the existence of two-factor authentication on targeted accounts.

Admins can also check if Security Assertion Markup Language access protection is enabled by visiting this instructions web page, which includes instructions on how to configure this feature to the required policy.
Two more high-severity issues are addressed in the security upgrades. The first is a CVE-2022-1940 cross-site scripting (XSS) vulnerability in the Jira integration component, which has a severity rating of 7.7.

The second flaw is a lack of input validation, which allows HTML injection into contact list details, allowing XSS attacks. It has a severity rating of 8.7 and is identified as CVE-2022-1948.

GitLab Inc. is an open-core company that provides GitLab, a DevOps software package that combines the ability to develop, secure, and operate software in a single application. The open source software project was created by Ukrainian developer Dmitriy Zaporozhets and Dutch developer Sytse Sijbrandij.