June 6, 2022
GitLab Patches a Critical Account Takeover Vulnerability
GitLab has released a critical security update, patching a critical account takeover vulnerability, as well as 7 other, less severe vulnerabilities.
The critical vulnerability affects only GitLab Enterprise Edition (EE) under certain conditions, described in the next section below.
The Critical Vulnerability
- CVE-2022-1680, (CVSS 3.0: 9.9, Critical Severity) – An account takeover issue has been discovered in GitLab EE, When group SAML SSO is configured, the SCIM feature (available only on Premium+ subscriptions) may allow any owner of a Premium group to invite arbitrary users through their username and email, then change those users’ email addresses via SCIM to an attacker controlled email address and thus – in the absence of 2FA – take over those accounts.
- GitLab Enterprise Edition:
- Versions 11.10, prior to version 14.9.5.
- Versions 14.10, prior to version 14.10.4.
- Versions 15.0, prior to version 15.0.1.
- Updating relevant products to their latest available versions.
- Enforcing 2FA on all GitLab users.
References: GitLab Advisory.