GitLab Issues Security Patch for Critical Account Takeover Vulnerability

Technology

GitLab has moved to address a critical security flaw in its service that, if successfully exploited, could result in an account takeover.

Tracked as CVE-2022-1680, the issue has a CVSS severity score of 9.9 and was discovered internally by the company. The security flaw affects all versions of GitLab Enterprise Edition (EE) starting from 11.10 before 14.9.5, all versions starting from 14.10 before 14.10.4, and all versions starting from 15.0 before 15.0.1.

CyberSecurity

“When group SAML SSO is configured, the SCIM feature (available only on Premium+ subscriptions) may allow any owner of a Premium group to invite arbitrary users through their username and email, then change those users’ email addresses via SCIM to an attacker controlled email address and thus — in the absence of 2FA — take over those accounts,” GitLab said.

Having achieved this, a malicious actor can also change the display name and username of the targeted account, the DevOps platform provider cautioned in its advisory published on June 1, 2022.

CyberSecurity

Also resolved by GitLab in versions 15.0.1, 14.10.4, and 14.9.5 are seven other security vulnerabilities, two of which are rated high, four are rated medium, and one is rated low in severity.

Users running an affected installation of the aforementioned bugs are recommended to upgrade to the latest version as soon as possible.

Products You May Like

Articles You May Like

The Best Winter Coats For Men: The Down Low on Down Jackets
Fed rate decision November 2024:
My Chemical Romance Announces ‘The Black Parade’ 2025 Tour Dates
Las Vegas Sun Calls Out Trump’s Mental Illness And Cognitive Decline
Trump picks RFK Jr. for Health and Human Services secretary