Critical GitLab Vulnerability Lets Attackers Take Over Accounts (bleepingcomputer.com) 3
GitLab has addressed a critical severity vulnerability that could allow remote attackers to take over user accounts using hardcoded passwords. Bleeping Computer reports: The bug (discovered internally and tracked as CVE-2022-1162) affects both GitLab Community Edition (CE) and Enterprise Edition (EE). This flaw results from static passwords accidentally set during OmniAuth-based registration in GitLab CE/EE. GitLab urged users to immediately upgrade all GitLab installations to the latest versions (14.9.2, 14.8.5, or 14.7.7) to block potential attacks. GitLab also added that it reset the passwords of a limited number of GitLab.com users as part of the CVE-2022-1162 mitigation effort. It also found no evidence that any accounts have been compromised by attackers using this hardcode password security flaw.
Re: (Score:3)
Even if you've got multiple baskets, you don't want one of them being overturned.
Sync to Github (Score:2)
Rather than expose my internal Gitlab for public projects I mirror them to Github. This works out to be the best of both worlds for me.
VPN is for internal users.