CVE-2022-1680
published 2022-06-06CVE-2022-1680: An account takeover issue has been discovered in GitLab EE affecting all versions starting from 11.10 before 14.9.5, all versions starting from 14.10 before…
PriorityP265high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
15.47%
96.4th percentile
An account takeover issue has been discovered in GitLab EE affecting all versions starting from 11.10 before 14.9.5, all versions starting from 14.10 before 14.10.4, all versions starting from 15.0 before 15.0.1. When group SAML SSO is configured, the SCIM feature (available only on Premium+ subscriptions) may allow any owner of a Premium group to invite arbitrary users through their username and email, then change those users' email addresses via SCIM to an attacker controlled email address and thus - in the absence of 2FA - take over those accounts. It is also possible for the attacker to change the display name and username of the targeted account.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | gitlab | < gitlab 15.10.8+ds1-2 (sid) | gitlab 15.10.8+ds1-2 (sid) |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | >= 11.10.0 < 14.9.5 | 14.9.5 |
| gitlab | gitlab | >= 14.10.0 < 14.10.4 | 14.10.4 |
| gitlab | gitlab_ee | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Attack vector: Group owner abuses SCIM API to change a targeted user's email address to an attacker-controlled address, enabling account takeover when 2FA is absent. Monitor SCIM endpoint calls that modify user email, display name, or username attributes, especially from group owners. ↗
- →Attack also allows modification of display name and username of the targeted account via SCIM — alert on unexpected SCIM PATCH/PUT requests that alter username or display name fields for existing users. ↗
- →Prerequisite condition: Group SAML SSO must be configured. Audit GitLab EE instances with group SAML SSO enabled and Premium+ subscriptions for suspicious SCIM activity. ↗
- ·Vulnerability only affects GitLab EE (Enterprise Edition) with group SAML SSO configured AND the SCIM feature active (requires Premium+ subscription). Community Edition is not affected. ↗
- ·Account takeover is only possible in the absence of 2FA on the targeted account. Enforcing 2FA mitigates the final takeover step. ↗
- ·Affected version ranges: GitLab EE >= 11.10 and < 14.9.5; >= 14.10 and < 14.10.4; >= 15.0 and < 15.0.1. Debian sid fix landed in 15.10.8+ds1-2. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vendor_debian9.9CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-whxf-7mv4-g5wm: An account takeover issue has been discovered in GitLab EE affecting all versions starting from 11
ghsa_unreviewed·2022-06-07
CVE-2022-1680 [HIGH] GHSA-whxf-7mv4-g5wm: An account takeover issue has been discovered in GitLab EE affecting all versions starting from 11
An account takeover issue has been discovered in GitLab EE affecting all versions starting from 11.10 before 14.9.5, all versions starting from 14.10 before 14.10.4, all versions starting from 15.0 before 15.0.1. When group SAML SSO is configured, the SCIM feature (available only on Premium+ subscriptions) may allow any owner of a Premium group to invite arbitrary users through their username and email, then change those users' email addresses via SCIM to an attacker controlled email address and thus - in the absence of 2FA - take over those accounts. It is also possible for the attacker to change the display name and username of the targeted account.
GitLab
CVE-2022-1680: An account takeover issue has been discovered in GitLab EE affecting all versions starting from 11.10 before 14.9.5, all versions starting from 14.10
vendor_gitlab·2022-06-06·CVSS 9.9
CVE-2022-1680 [CRITICAL] CVE-2022-1680: An account takeover issue has been discovered in GitLab EE affecting all versions starting from 11.10 before 14.9.5, all versions starting from 14.10
CVE-2022-1680: An account takeover issue has been discovered in GitLab EE affecting all versions starting from 11.10 before 14.9.5, all versions starting from 14.10 before 14.10.4, all versions starting from 15.0 before 15.0.1. When group SAML SSO is configured, the SCIM feature (available only on Premium+ subscriptions) may allow any owner of a Premium group to invite arbitrary users through their username and email, then change those users' email addresses via SCIM to an attacker controlled email address and thus - in the absence of 2FA - take over those accounts. It is also possible for the attacker to change the display name and username of the targeted account.
Debian
CVE-2022-1680: gitlab - An account takeover issue has been discovered in GitLab EE affecting all version...
vendor_debian·2022·CVSS 9.9
CVE-2022-1680 [CRITICAL] CVE-2022-1680: gitlab - An account takeover issue has been discovered in GitLab EE affecting all version...
An account takeover issue has been discovered in GitLab EE affecting all versions starting from 11.10 before 14.9.5, all versions starting from 14.10 before 14.10.4, all versions starting from 15.0 before 15.0.1. When group SAML SSO is configured, the SCIM feature (available only on Premium+ subscriptions) may allow any owner of a Premium group to invite arbitrary users through their username and email, then change those users' email addresses via SCIM to an attacker controlled email address and thus - in the absence of 2FA - take over those accounts. It is also possible for the attacker to change the display name and username of the targeted account.
Scope: local
sid: resolved (fixed in 15.10.8+ds1-2)
No detection rules found.
No public exploits indexed.
Talos
Vulnerability Spotlight: Authentication bypass, use-after-free vulnerabilities found in a library for the µC/OS open-source operating system
blogs_talos·2023-05-10·CVSS 8.6
[HIGH] Vulnerability Spotlight: Authentication bypass, use-after-free vulnerabilities found in a library for the µC/OS open-source operating system
## Vulnerability Spotlight: Authentication bypass, use-after-free vulnerabilities found in a library for the µC/OS open-source operating system
Kelly Leuschner of Cisco Talos discovered these vulnerabilities.
Cisco Talos recently discovered two vulnerabilities in a library for µC/OS, an open-source operating system developed by Micrium.
µC/OS is an embedded operating system that supports TCP/IP, USB, CAN bus and Modbus. The two vulnerabilities Talos discovered specifically exist in the operating system’s FTP server.
TALOS-2022-1680 (CVE-2022-41985) could allow an attacker to bypass the authentication protocol on the operating system, or cause a denial-of-service, by sending the targeted machine a specially crafted set of network packets.
Similarly, TALOS-2022-1681 (CVE-2022-46377 - CV
Talos
Vulnerability Spotlight: Authentication bypass, use-after-free vulnerabilities found in a library for the µC/OS open-source operating system
blogs_talos·2023-05-10·CVSS 8.6
CVE-2022-41985 [HIGH] Vulnerability Spotlight: Authentication bypass, use-after-free vulnerabilities found in a library for the µC/OS open-source operating system
Kelly Leuschner of Cisco Talos discovered these vulnerabilities.
Cisco Talos recently discovered two vulnerabilities in a library for µC/OS, an open-source operating system developed by Micrium.
µC/OS is an embedded operating system that supports TCP/IP, USB, CAN bus and Modbus. The two vulnerabilities Talos discovered specifically exist in the operating system’s FTP server.
TALOS-2022-1680 (CVE-2022-41985) could allow an attacker to bypass the authentication protocol on the operating system, or cause a denial-of-service, by sending the targeted machine a specially crafted set of network packets.
Similarly, TALOS-2022-1681 (CVE-2022-46377 - CVE-2022-46378) is also triggered by a set of network packets, though in this case, it can cause a denial-of-service and a use-after-free condition
Checkpoint
6th June – Threat Intelligence Report
blogs_checkpoint·2022-06-06·CVSS 7.8
CVE-2022-30190 [HIGH] 6th June – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 6th June – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 6th June, please download our Threat Intelligence Bulletin .
Top Attacks and Breaches
An unaffiliated threat actor has been initialing a phishing campaign targeting government entities in Europe and the U.S, exploiting the recently disclosed Microsoft Office “Follina” vulnerability, tracked CVE-2022-30190.
Check Point IPS, Threat Emulation and Harmony Endpoint provide protection against this threat (Microsoft Sup
2022-06-06
Published