Gitlab – Static passwords set during OmniAuth-based registration (CVE-2022-1162) (opens in new tab)

(about.gitlab.com)

66 pointsaltharaz4y ago22 comments

22 comments

To save folks some digging on what exactly this means—it's exactly what it sounds like: https://gitlab.com/gitlab-org/gitlab/-/commit/e2fb87ec5d4e23...

altharazOP4y ago

The hardcoded password seems to be:

Gitlab::Password.test_default(21) => "123qweQWE!@#000000000"

eek21214y ago

Do they not have a code review process?

mdaniel4y ago

https://gitlab.com/gitlab-org/gitlab/-/merge_requests/76318

and I actually suspected it was a matter of the change hiding in an absolute sea of diffs, but there's a comment on the file right below the change: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/76318/...

> (10 Jan, 2022 1 commit) JH need more complex passwords

> (30 Mar, 2022 1 commit) Revert "JH need more complex passwords"

oops

---

In case others are wondering what's up with the JiHu label and its matching "gitlab-jh" group: https://about.gitlab.com/handbook/ceo/chief-of-staff-team/ji...

theptip4y ago

Thanks for doing the issue sleuthing. This is an excruciatingly bad look.

You'd have thought with all the code-owner functionality that GL has, they would lock down the `/lib/gitlab/auth/` files to require a security engineer to give additional signoff on top of a normal review. It looks like anyone at Gitlab can approve changes to the auth code (except LDAP): https://gitlab.com/gitlab-org/gitlab/-/blob/master/.gitlab/C... which is terrifying if true.

2 more replies

krebsonsecurity4y ago

This appears to be related. One Github user shared an alert they got today, two days after connecting their Github account to Gitlab. Something about an app added to the account. Their Github has 2fa turned on and a very strong password:

https://twitter.com/briankrebs/status/1509910113716514822

j / k navigate · click thread line to collapse