GitLab Issues Security Patch for Critical Account Takeover Vulnerability

News

GitLab has moved to address a critical security flaw in its service that, if successfully exploited, could result in an account takeover.

Tracked as CVE-2022-1680, the issue has a CVSS severity score of 9.9 and was discovered internally by the company. The security flaw affects all versions of GitLab Enterprise Edition (EE) starting from 11.10 before 14.9.5, all versions starting from 14.10 before 14.10.4, and all versions starting from 15.0 before 15.0.1.

CyberSecurity

“When group SAML SSO is configured, the SCIM feature (available only on Premium+ subscriptions) may allow any owner of a Premium group to invite arbitrary users through their username and email, then change those users’ email addresses via SCIM to an attacker controlled email address and thus — in the absence of 2FA — take over those accounts,” GitLab said.

Having achieved this, a malicious actor can also change the display name and username of the targeted account, the DevOps platform provider cautioned in its advisory published on June 1, 2022.

CyberSecurity

Also resolved by GitLab in versions 15.0.1, 14.10.4, and 14.9.5 are seven other security vulnerabilities, two of which are rated high, four are rated medium, and one is rated low in severity.

Users running an affected installation of the aforementioned bugs are recommended to upgrade to the latest version as soon as possible.

Products You May Like

Articles You May Like

Bitcoin Fog Founder Sentenced to 12 Years for Cryptocurrency Money Laundering
CISOs Turn to Indemnity Insurance as Breach Pressure Mounts
Life on a crooked RedLine: Analyzing the infamous infostealer’s backend
Massive Telecom Hack Exposes US Officials to Chinese Espionage
THN Recap: Top Cybersecurity Threats, Tools, and Practices (Nov 04 – Nov 10)

Leave a Reply

Your email address will not be published. Required fields are marked *