Gitlab – Static passwords set during OmniAuth-based registration (CVE-2022-1162) (opens in new tab)

(about.gitlab.com)

66 pointsaltharaz3y ago22 comments

22 comments

To save folks some digging on what exactly this means—it's exactly what it sounds like: https://gitlab.com/gitlab-org/gitlab/-/commit/e2fb87ec5d4e23...

altharazOP3y ago

The hardcoded password seems to be:

Gitlab::Password.test_default(21) => "123qweQWE!@#000000000"

eek21213y ago

Do they not have a code review process?

mdaniel3y ago

https://gitlab.com/gitlab-org/gitlab/-/merge_requests/76318

and I actually suspected it was a matter of the change hiding in an absolute sea of diffs, but there's a comment on the file right below the change: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/76318/...

> (10 Jan, 2022 1 commit) JH need more complex passwords

> (30 Mar, 2022 1 commit) Revert "JH need more complex passwords"

oops

---

In case others are wondering what's up with the JiHu label and its matching "gitlab-jh" group: https://about.gitlab.com/handbook/ceo/chief-of-staff-team/ji...

5 more replies

krebsonsecurity3y ago

This appears to be related. One Github user shared an alert they got today, two days after connecting their Github account to Gitlab. Something about an app added to the account. Their Github has 2fa turned on and a very strong password:

https://twitter.com/briankrebs/status/1509910113716514822

j / k navigate · click thread line to collapse