A new security release from GitLab addresses a critical vulnerability that could enable account takeover, as well as several high- and medium-severity flaws.
The critical flaw (CVE-2022-1680), which has a 9.9 CVSS score, stems from an issue in GibLab Enterprise Edition, which is the repository hosting service’s distribution that can be run as a commercial subscription. If exploited the flaw can allow for account takeover. GitLab versions 15.0.1, 14.10.4 and 14.9.5 for GitLab Community Edition and Enterprise Edition address the vulnerabilities.
“We strongly recommend that all installations running a version affected by the issues… are upgraded to the latest version as soon as possible,” according to Nick Malcolm, senior security engineer with GitLab in a security release this week. “These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.”
GitLab said that the issue specifically stems from a glitch in the System for Cross-domain Identity Management (SCIM), an open standard that automates user provisioning, which is available only on Premium+ subscriptions.
When the group SAML single sign-on feature is configured, SCIM may enable any owner of a Premium group to invite arbitrary users through their username and email, then change those users' email addresses to an attacker controlled email address. If an organization does not have security measures like two-factor authentication (2FA) in place, the attacker would then be able to take over those accounts. GitLab said it is also possible for the attacker to change the display name and username of the targeted account.
The flaw impacts all GitLab Enterprise Edition versions starting from 11.10 before 14.9.5, all versions starting from 14.10 before 14.10.4 and all versions starting from 15.0 before 15.0.1. GitLab said the vulnerability was discovered internally.
In April, GitLab fixed another critical security flaw enabling account takeover, which stemmed from a hardcoded password. The hardcoded password impacted several versions of GitLab’s software and customers were warned to update their instances as soon as possible.