GitLab has moved to handle a essential safety flaw in its service that, if efficiently exploited, might end in an account takeover.
Tracked as CVE-2022-1680, the difficulty has a CVSS severity rating of 9.9 and was found internally by the corporate. The safety flaw impacts all variations of GitLab Enterprise Version (EE) ranging from 11.10 earlier than 14.9.5, all variations ranging from 14.10 earlier than 14.10.4, and all variations ranging from 15.0 earlier than 15.0.1.
“When group SAML SSO is configured, the SCIM function (accessible solely on Premium+ subscriptions) might permit any proprietor of a Premium group to ask arbitrary customers by way of their username and e-mail, then change these customers’ e-mail addresses by way of SCIM to an attacker managed e-mail handle and thus — within the absence of 2FA — take over these accounts,” GitLab stated.
Having achieved this, a malicious actor also can change the show identify and username of the focused account, the DevOps platform supplier cautioned in its advisory printed on June 1, 2022.
Additionally resolved by GitLab in variations 15.0.1, 14.10.4, and 14.9.5 are seven different safety vulnerabilities, two of that are rated excessive, 4 are rated medium, and one is rated low in severity.
Customers operating an affected set up of the aforementioned bugs are beneficial to improve to the most recent model as quickly as doable.