1. Forum
  2. tqwNet
  3. TQW_GENTECH

  • GitLab scrambles to release emergency fix after password snafu

    From TechnologyDaily@1337:1/100 to All on Mon Apr 4 12:45:03 2022
    GitLab scrambles to release emergency fix after password snafu

    Date:
    Mon, 04 Apr 2022 11:21:48 +0000

    Description:
    The company issued patches to fix a total of 12 vulnerabilities.

    FULL STORY ======================================================================

    GitLab Community Edition (CE) and GitLab Enterprise Edition (EE) have been patched to fix a major flaw regarding hard-coded passwords, the company has revealed.

    In an advisory that accompanied the fix, GitLab explained how the flaw gave potential attackers the ability to completely take over vulnerable endpoints
    .

    The vulnerability revolves around how the software generates a fake strong password for testing. There are three elements: User.password_length.max, a user-set maximum character number for a password, DEFAULT_LENGTH, which is hard-coded at 12 characters, and the fake strong password for testing - "123qweQWE!@#".

    The difference between the first two factors is filled with zeros. TechRadar needs you!

    We're looking at how our readers use VPNs with different devices so we can improve our content and offer better advice. This survey shouldn't take more than 60 seconds of your time, and entrants from the UK and US will have the chance to enter a draw for a 100 Amazon gift card (or equivalent in USD). Thank you for taking part.

    Click here to start the survey in a new window << High severity vulnerabilities

    So, for example, if a user were to set a maximum number of characters for a password at 21, the software would combine 123qweQWE!@# with a number of
    zeros to reach that maximum. In this particular example, it would be 123qweQWE!@#000000000, and that password would grant access to all accounts created with OmniAuth.

    The bug is tracked as CVE-2022-1162, and was given a severity score of 9.1.

    It was discovered, and patched, by the GitLab team, and allegedly, wasnt abused in the wild - with the company saying that no user identities have
    been stolen so far.

    "We executed a reset of GitLab.com passwords for a selected set of users as
    of 15:38 UTC [Thursday]," the advisory reads. "Our investigation shows no indication that users or accounts have been compromised but were taking precautionary measures for our users security." Read more

    Hybrid working could be a catastrophic mistake


    When open source is done right, the sky's the limit


    Four ways going fully remote can benefit technology teams

    GitLab is a DevOps software that offers a one-stop-shop for developers
    looking to create, secure, and operate their software. The cloud-hosted softwares newest versions include 14.9.2, 14.8.5, and 14.7.7, and the developers are urging the users to apply the patches immediately.

    In total, 12 flaws have been fixed with these patches, including a stored XSS vulnerability. According to company data, GitLab has a million active users. To keep your premises secure, make sure to grab one of the best firewalls right now

    Via: The Register



    ======================================================================
    Link to news story: https://www.techradar.com/news/gitlab-scrambles-to-release-emergency-fix-after -password-snafu/


    --- Mystic BBS v1.12 A47 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)