cbcvebase.
CVE-2022-1680
published 2022-06-06

CVE-2022-1680: An account takeover issue has been discovered in GitLab EE affecting all versions starting from 11.10 before 14.9.5, all versions starting from 14.10 before…

PriorityP265high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
15.47%
96.4th percentile
An account takeover issue has been discovered in GitLab EE affecting all versions starting from 11.10 before 14.9.5, all versions starting from 14.10 before 14.10.4, all versions starting from 15.0 before 15.0.1. When group SAML SSO is configured, the SCIM feature (available only on Premium+ subscriptions) may allow any owner of a Premium group to invite arbitrary users through their username and email, then change those users' email addresses via SCIM to an attacker controlled email address and thus - in the absence of 2FA - take over those accounts. It is also possible for the attacker to change the display name and username of the targeted account.

Affected

9 ranges
VendorProductVersion rangeFixed in
debiangitlab< gitlab 15.10.8+ds1-2 (sid)gitlab 15.10.8+ds1-2 (sid)
gitlabgitlab
gitlabgitlab
gitlabgitlab
gitlabgitlab
gitlabgitlab
gitlabgitlab>= 11.10.0 < 14.9.514.9.5
gitlabgitlab>= 14.10.0 < 14.10.414.10.4
gitlabgitlab_ee

Detection & IOCsextracted from sources · hover to see the quote

  • Attack vector: Group owner abuses SCIM API to change a targeted user's email address to an attacker-controlled address, enabling account takeover when 2FA is absent. Monitor SCIM endpoint calls that modify user email, display name, or username attributes, especially from group owners.
  • Attack also allows modification of display name and username of the targeted account via SCIM — alert on unexpected SCIM PATCH/PUT requests that alter username or display name fields for existing users.
  • Prerequisite condition: Group SAML SSO must be configured. Audit GitLab EE instances with group SAML SSO enabled and Premium+ subscriptions for suspicious SCIM activity.
  • ·Vulnerability only affects GitLab EE (Enterprise Edition) with group SAML SSO configured AND the SCIM feature active (requires Premium+ subscription). Community Edition is not affected.
  • ·Account takeover is only possible in the absence of 2FA on the targeted account. Enforcing 2FA mitigates the final takeover step.
  • ·Affected version ranges: GitLab EE >= 11.10 and < 14.9.5; >= 14.10 and < 14.10.4; >= 15.0 and < 15.0.1. Debian sid fix landed in 15.10.8+ds1-2.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vendor_debian9.9CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.