GitLab addressed critical account take over via SCIM email change

Pierluigi Paganini June 04, 2022

GitLab addresses a critical security vulnerability, tracked as CVE-2022-1680, that could be exploited by an attacker to take over users’ accounts.

GitLab has fixed a critical security flaw in its GitLab Enterprise Edition (EE), tracked as CVE-2022-1680 (CVSS score 9.9), that could be exploited to take over an account.

The vulnerability impacts all versions starting from 11.10 before 14.9.5, all versions starting from 14.10 before 14.10.4, all versions starting from 15.0 before 15.0.1.

“When group SAML SSO is configured, the SCIM feature (available only on Premium+ subscriptions) may allow any owner of a Premium group to invite arbitrary users through their username and email, then change those users’ email addresses via SCIM to an attacker controlled email address and thus – in the absence of 2FA – take over those accounts.” reads the advisory published by GitHub. “It is also possible for the attacker to change the display name and username of the targeted account.”

This CVE-2022-1680 flaw was discovered by a member of the GitLab team.

The company also addressed other seven flaws, the complete list is reported in the following table:

Account take over via SCIM email changecritical
Stored XSS in Jira integrationhigh
Quick action commands susceptible to XSShigh
IP allowlist bypass when using Trigger tokensmedium
IP allowlist bypass when using Project Deploy Tokensmedium
Improper authorization in the Interactive Web Terminalmedium
Subgroup member can list members of parent groupmedium
Group member lock bypasslow

The company urges users to upgrade to the latest version as soon as possible.

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit:

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, GitLab)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment