A new security release from GitLab addresses a critical vulnerability that could enable account takeover, as well as several high- and medium-severity flaws.
The critical flaw (CVE-2022-1680), which has a 9.9 CVSS score, stems from an issue in GibLab Enterprise Edition, which is the repository hosting service’s distribution that can be run as a commercial subscription. If exploited the flaw can allow for account takeover. GitLab versions 15.0.1, 14.10.4 and 14.9.5 for GitLab Community Edition and Enterprise Edition address the vulnerabilities.
“We strongly recommend that all installations running a version affected by the issues… are upgraded to the latest version as soon as possible,” according to Nick Malcolm, senior security engineer with GitLab in a security release this week. “These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.”
GitLab said that the issue specifically stems from a glitch in the System for Cross-domain Identity Management (SCIM), an open standard that automates user provisioning, which is available only on Premium+ subscriptions.
When the group SAML single sign-on feature is configured, SCIM may enable any owner of a Premium group to invite arbitrary users through their username and email, then change those users' email addresses to an attacker controlled email address. If an organization does not have security measures like two-factor authentication (2FA) in place, the attacker would then be able to take over those accounts. GitLab said it is also possible for the attacker to change the display name and username of the targeted account.
The flaw impacts all GitLab Enterprise Edition versions starting from 11.10 before 14.9.5, all versions starting from 14.10 before 14.10.4 and all versions starting from 15.0 before 15.0.1. GitLab said the vulnerability was discovered internally.
GitLab also issued patches for two high-severity flaws, including a store cross-site scripting flaw (CVE-2022-1940) in the Jira integration feature of GitLab Enterprise Edition that could allow an attacker to execute arbitrary JavaScript code in GitLab via specially crafted Jira Issues. The other GitLab Enterprise Edition flaw (CVE-2022-1948) stemmed from a missing validation of input check in the quick actions command and could enable attackers to launch a cross-site scripting attack by injecting HTML in the contact details.
In April, GitLab fixed another critical security flaw enabling account takeover, which stemmed from a hardcoded password. The hardcoded password impacted several versions of GitLab’s software and customers were warned to update their instances as soon as possible.