{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2022-041.pdf"
    },
    "title": "Critical Vulnerability in GitLab",
    "serial_number": "2022-041",
    "publish_date": "03-06-2022 21:45:00",
    "description": "On June 1, 2022, GitLab released updates fixing several vulnerabilities, one of which could lead to Account Take Over. This critical vulnerability is identified \"CVE-2022-1680\" with a severity score of 9.9 out of 10.",
    "url_title": "2022-041",
    "content_markdown": "---\ntitle: 'Critical Vulnerability in GitLab'\nversion: '1.0'\nnumber: '2022-041'\noriginal_date: 'June 1, 2022'\ndate: 'June 3, 2022'\n---\n\n_History:_\n\n* _03/06/2022 --- v1.0 -- Initial publication_\n\n# Summary\n\nOn June 1, 2022, GitLab released updates fixing several vulnerabilities, one of which could lead to Account Take Over [1]. This critical vulnerability is identified `CVE-2022-1680` with a severity score of 9.9 out of 10.\n\n# Technical Details\n\nWhen group SAML SSO is configured, the System for Cross-domain Management (SCIM) feature may allow any owner of a Premium group to invite arbitrary users through their username and email, then change those users' email addresses via SCIM to an attacker controlled email address and thus - in the absence of 2FA - take over those accounts. It is also possible for the attacker to change the display name and username of the targeted account [2].\n\n# Affected Products\n\nThe following versions of GitLab **Enterprise Edition** are affected [2]:\n\n- all versions starting from `11.10` and before `14.9.5`,\n- all versions starting from `14.10`and before `14.10.4`, \n- all versions starting from `15.0` and before `15.0.1`.\n\nTo be vulnerable, the servers must be configured with `SAML SSO` option enabled.\n\nPlease note that the Cloud version `GitLab.com` is already running the last version.\n\n# Recommendations \n\nCERT-EU strongly recommends updating GitLab servers to the last version. \n\nCERT-EU also recommends enforcing multi-factor authentication (MFA) for users.\n\n# References\n\n[1] <https://www.bleepingcomputer.com/news/security/gitlab-security-update-fixes-critical-account-take-over-flaw/>\n\n[2] <https://about.gitlab.com/releases/2022/06/01/critical-security-release-gitlab-15-0-1-released/#account-take-over-via-scim-email-change>\n",
    "content_html": "<p><em>History:</em></p><ul><li><em>03/06/2022 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>On June 1, 2022, GitLab released updates fixing several vulnerabilities, one of which could lead to Account Take Over [1]. This critical vulnerability is identified <code>CVE-2022-1680</code> with a severity score of 9.9 out of 10.</p><h2 id=\"technical-details\">Technical Details</h2><p>When group SAML SSO is configured, the System for Cross-domain Management (SCIM) feature may allow any owner of a Premium group to invite arbitrary users through their username and email, then change those users' email addresses via SCIM to an attacker controlled email address and thus - in the absence of 2FA - take over those accounts. It is also possible for the attacker to change the display name and username of the targeted account [2].</p><h2 id=\"affected-products\">Affected Products</h2><p>The following versions of GitLab <strong>Enterprise Edition</strong> are affected [2]:</p><ul><li>all versions starting from <code>11.10</code> and before <code>14.9.5</code>,</li><li>all versions starting from <code>14.10</code>and before <code>14.10.4</code>, </li><li>all versions starting from <code>15.0</code> and before <code>15.0.1</code>.</li></ul><p>To be vulnerable, the servers must be configured with <code>SAML SSO</code> option enabled.</p><p>Please note that the Cloud version <code>GitLab.com</code> is already running the last version.</p><h2 id=\"recommendations\">Recommendations</h2><p>CERT-EU strongly recommends updating GitLab servers to the last version. </p><p>CERT-EU also recommends enforcing multi-factor authentication (MFA) for users.</p><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.bleepingcomputer.com/news/security/gitlab-security-update-fixes-critical-account-take-over-flaw/\">https://www.bleepingcomputer.com/news/security/gitlab-security-update-fixes-critical-account-take-over-flaw/</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://about.gitlab.com/releases/2022/06/01/critical-security-release-gitlab-15-0-1-released/#account-take-over-via-scim-email-change\">https://about.gitlab.com/releases/2022/06/01/critical-security-release-gitlab-15-0-1-released/#account-take-over-via-scim-email-change</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}