The exploitation of CVE-2022-1162 can allow a threat actor to guess a hard-coded password for any GitLab account with relative ease. The root cause of CVE-2022-1162 is in the account registration process using an OmniAuth provider (e.g., OAuth, LDAP, SAML) where a hardcoded password is set with a predictable pattern that allows a threat actor to brute force a registered user’s password based on the pattern. It is important to note that only GitLab deployments where user accounts are created using an OmniAuth provider are in scope for being vulnerable to CVE-2022-1162.
Upgrade to the latest patches (versions 14.9.2, 14.8.5, and 14.7.7) and updates here. This is a critical vulnerability and patches should be updated instantaneously.