GitLab Enterprise Edition security bypass | CVE-2022-1680
NAME
GitLab Enterprise Edition security bypass
- Platforms Affected:
GitLab Enterprise Edition 11.0
GitLab Enterprise Edition 14.9.4
GitLab Enterprise Edition 14.10.3
GitLab Enterprise Edition 15.0
GitLab Enterprise Edition 14.10 - Risk Level:
9.9 - Exploitability:
Unproven - Consequences:
Bypass Security
DESCRIPTION
GitLab Enterprise Edition could allow a remote authenticated attacker to bypass security restrictions, caused by a flaw in the the SCIM feature when group SAML SSO is configured. By sending a specially-crafted request to invite arbitrary users through their username and email, an attacker could exploit this vulnerability to take over the invited accounts and change the display name and username.
CVSS 3.0 Information
- Privileges Required: Low
- User Interaction: None
- Scope: Changed
- Access Vector: Network
- Access Complexity: Low
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
- Remediation Level: Official Fix
MITIGATION
Refer to GitLab Web site for patch, upgrade or suggested workaround information. See References.
- Reference Link:
https://about.gitlab.com/releases/2022/06/01/critical-security-release-gitlab-15-0-1-released/ - Reference Link:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1680
If you like the site, please consider joining the telegram channel and supporting us on Patreon using the button below.
