GitLab Releases a Security Patch to Address a Critical Account Takeover Vulnerability GitLab has taken steps to address a critical security flaw in its service, which could result in account takeover if successfully exploited.
The vulnerability, identified as CVE-2022-1680, has a CVSS severity score of 9.9 and was discovered internally by the company. The security flaw affects all versions of GitLab Enterprise Edition (EE) beginning with 11.10 and ending with 14.9.5, as well as all versions beginning with 15.0 and ending with 15.0.1.
“When group SAML SSO is enabled, the SCIM feature (available only on Premium+ subscriptions) may allow any owner of a Premium group to invite arbitrary users via their username and email, then change those users’ email addresses via SCIM to an attacker controlled email address and thus — in the absence of 2FA — take over those accounts,” GitLab explained.
A malicious actor can then change the display name and username of the targeted account, according to a DevOps platform provider advisory published on June 1, 2022.
GitLab also fixed seven other security flaws in versions 15.0.1, 14.10.4, and 14.9.5, two of which are rated high, four as medium, and one as low in severity.
Users who are running an affected installation of the aforementioned bugs are advised to upgrade as soon as possible.
Have you enjoyed reading this article? To read more exclusive material from THN, follow us on Facebook. GitLab Releases a Security Patch to Address a Critical Account Takeover Vulnerability