GitLab has discovered and fixed a highly critical vulnerability that could lead to account takeover.
Tracked as CVE-2022-1680 and rated 9.9 out of 10 on the CVSS scale, the flaw affects all versions of GitLab Enterprise Edition from 11.10 before 14.9.5, all versions starting from 14.10 before 14.10.4, all versions starting from 15.0 before 15.0.1. The issue was discovered internally by a member of the team.
CVE-2022-1680: GitLab Vulnerability
How can the account takeover vulnerability in GitLab Enterprise Edition be exploited?
According to the official advisory, “when group SAML SSO is configured, the SCIM feature (available only on Premium+ subscriptions) may allow any owner of a Premium group to invite arbitrary users through their username and email, then change those users’ email addresses via SCIM to an attacker controlled email address and thus – in the absence of 2FA – take over those accounts.”
An attacker can also change the display name and username of the targeted account.
“Self-managed administrators can check whether group_saml is enabled by reviewing “Configuring Group SAML on a self-managed GitLab instance,” the company added.
Gitlab fixed seven other security issues in versions 15.0.1, 14.10.4, and 14.9.5 of its software, two of which are rated high in severity, four are rated medium, and one – low.