GitLab has moved to address a serious security flaw in its services that could lead to an account takeover if used successfully.
Track as CVE-2022-1680, A CVSS severity score of 9.9 of the problem and has been discovered internally by the company. Security bugs affect all versions of GitLab Enterprise Edition (EE) starting at 11.10 before 14.9.5, starting at 14.10 before 14.10.4 and all versions starting at 15.0 before 15.0.1.
.. / data / gnome – power – manager.schemas.in.h: 25 “When the group SAML SSO is configured, the SCIM feature (only available in premium + subscriptions) allows any owner of a premium group to invite users arbitrarily with their username and email, then change the email addresses of those users to attacker controlled email via SCIM. The address and thus – in the absence of 2FA – occupy those accounts, “Gitlab. Says.
After achieving this, a malicious actor may change the display name and username of the targeted account, the DevOps platform provider warned in its advice published on June 1, 2022.
GitLab also addressed seven other security vulnerabilities in versions 15.0.1, 14.10.4, and 14.9.5, two of which were rated high, four rated moderate, and one rated low in intensity.
Users who are running an affected installation of the aforementioned bugs are advised to upgrade to the latest version as soon as possible.