GitLab Security Update Fixes Critical Account Take Over Flaw
GitLab has released a critical security update for multiple versions of its Community and Enterprise Edition products to address eight vulnerabilities, one of which allows account takeover.
GitLab is a web-based Git repository for developer teams that need to manage their code remotely. It has approximately 30 million registered users and one million paying customers.
Getting control over a GitLab account comes with severe consequences as hackers could gain access to developers’ projects and steal source code.
Tracked as CVE-2022-1680 and rated with a critical severity score of of 9.9, the vulnerability affects all GitLab versions 11.10 through 14.9.4, 14.10 through 14.10.3, and version 15.0.
According to the company advisory, exploiting the flaw is possible on instances with a specific configuration, and the potential for abuse is reduced by the presence of two-factor authentication (2FA) on targeted accounts.
“When group SAML SSO is configured, the SCIM feature may allow any owner of a Premium group to invite arbitrary users through their username and email, then change those users’ email addresses via SCIM to an attacker-controlled email address and thus – in the absence of 2FA – take over those accounts. It is also possible for the attacker to change the display name and username of the targeted account.” – GitLab
Fixing and remediation
The issue was addressed with security updates for all affected branches. All GitLab users should move to the latest available versions as soon as possible.
Additionally, to check if Security Assertion Markup Language (SAML) access protection is active, admins can review this instructions web page containing guidance on setting this functionality to the desired policy.
The security updates contain fixes for two more high-severity flaws. The first is a cross-site scripting (XSS) issue in the Jira integration component tracked as CVE-2022-1940; it comes with a severity rating of 7.7.
The second is a missing validation of input that allows HTML injection in the contact list details and enabling XSS attacks. It is tracked as CVE-2022-1948 and has a severity rating of 8.7.
The remaining five vulnerabilities are IP allowlist bypass problems, improper authorization in the web terminal, and improper group member access and lock bypass.