vulnerability
Gitlab Gitlab: CVE-2022-1162: Use of Hard-coded Credentials
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 7 | (AV:N/AC:L/Au:N/C:P/I:P/A:P) | Apr 4, 2022 | Apr 22, 2025 | Mar 25, 2026 |
Severity
7
CVSS
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
Published
Apr 4, 2022
Added
Apr 22, 2025
Modified
Mar 25, 2026
Description
A hardcoded password was set for accounts registered using an OmniAuth provider (e.g. OAuth, LDAP, SAML) in GitLab CE/EE versions 14.7 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allowing attackers to potentially take over accounts
Solution
gitlab-gitlab-upgrade-latest
References
- CWE-798
- CVE-2022-1162
- https://attackerkb.com/topics/CVE-2022-1162
- http://packetstormsecurity.com/files/166828/Gitlab-14.9-Authentication-Bypass.html
- https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-1162.json
- https://gitlab.com/gitlab-org/gitlab/-/issues/357210
- https://euvd.enisa.europa.eu/vulnerability/EUVD-2022-24504
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.