CVE-2022-1680

Vulnerability

In GitLab EE, when group SAML SSO is configured, the SCIM feature (available on Premium+ subscriptions) permits any owner of a Premium group to invite arbitrary users via their username and email. The attacker can then change those users' email addresses via SCIM to an attacker-controlled email address. This issue affects all versions starting from 11.10 before 14.9.5, all versions starting from 14.10 before 14.10.4, and all versions starting from 15.0 before 15.0.1 [1].

Exploitation

An attacker who is an owner of a Premium group with group SAML SSO enabled can exploit this by first provisioning a SCIM user using an existing user's username and email via the POST /api/scim/v2/groups/:group_path/Users/ endpoint. Then, the attacker updates the SCIM-provisioned user's email address via a PATCH request to /api/scim/v2/groups/:group_path/Users/:id. A confirmation email is sent to the new email address, which the attacker controls. No special network position or additional authentication beyond group ownership is required, and the attack does not rely on user interaction or race conditions [1].

Impact

In the absence of two-factor authentication (2FA), the attacker can take over the targeted user's account. The attacker gains full control of the account, including the ability to change the display name and username. This results in a complete compromise of the account's confidentiality, integrity, and availability [1].

Mitigation

GitLab has released fixed versions: 14.9.5, 14.10.4, and 15.0.1. Users should upgrade to these or later versions [1]. There is no known workaround, and enabling 2FA for all users can reduce but not eliminate the risk if the vulnerability is unpatched. This CVE is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.