Response to CVE-2022-1162 using LDAP

DanySahne288 · April 4, 2022, 5:19pm

Regarding this article: GitLab Critical Security Release: 14.9.2, 14.8.5, and 14.7.7 | GitLab

I’ve upgraded from 14.8.2 to 14.9.2. The script at the end of the article lists a few users for me. That means all these users are affected? Since they are all LDAP users, do these users need to reset their LDAP password? What does the reset described here Reset a user's password | GitLab do for LDAP users?
Any help would be appreciated, I’m new to GitLab and rather confused what to do now.

iwalker · April 4, 2022, 6:17pm

Since you are using LDAP, it should be changed from the LDAP side, and not using the method from the gitlab docs reset a users password page. So either force the reset within LDAP or ask those users to change their passwords themselves.

DanySahne288 · April 4, 2022, 9:28pm

I’ve come across this Generated passwords for users created through integrated authentication | GitLab. So I’m assuming that’s the static/hardcoded password and why the passwords should be reset. That’s what I ended up doing.

Topic		Replies	Views
Proper response to CVE-2022-1162 using LDAP auth Migrations	6	1437	April 8, 2022
Convert LDAP user to local gitlab user Self-managed ldap	1	2055	April 10, 2020
User with both LDAP and standard passwords How to Use GitLab	0	693	March 1, 2022
Unable to login after performing upgrade to v15 Self-managed ldap	5	1706	February 24, 2024
LDAP login doesn't work after changing a users DN Self-managed ldap	1	1242	January 20, 2015

Response to CVE-2022-1162 using LDAP

Related topics