June 6, 2022 

GitLab Patches a Critical Account Takeover Vulnerability

GitLab has released a critical security update, patching a critical account takeover vulnerability, as well as 7 other, less severe vulnerabilities.

The critical vulnerability affects only GitLab Enterprise Edition (EE) under certain conditions, described in the next section below.

The Critical Vulnerability

• CVE-2022-1680, (CVSS 3.0: 9.9, Critical Severity) – An account takeover issue has been discovered in GitLab EE, When group SAML SSO is configured, the SCIM feature (available only on Premium+ subscriptions) may allow any owner of a Premium group to invite arbitrary users through their username and email, then change those users’ email addresses via SCIM to an attacker controlled email address and thus – in the absence of 2FA – take over those accounts.

Affected Products

• GitLab Enterprise Edition:
  • Versions 11.10, prior to version 14.9.5.
  • Versions 14.10, prior to version 14.10.4.
  • Versions 15.0, prior to version 15.0.1.

Mitigation

CYREBRO recommends:

• Updating relevant products to their latest available versions.
• Enforcing 2FA on all GitLab users.

References: GitLab Advisory.