CVE-2021-22240 in Enterprise Editioninfo

Summary

by MITRE • 08/06/2021

Improper access control in GitLab EE versions 13.11.6, 13.12.6, and 14.0.2 allows users to be created via single sign on despite user cap being enabled

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 08/10/2021

This vulnerability affects GitLab Enterprise Edition installations running versions 13.11.6, 13.12.6, and 14.0.2 where the user cap feature is enabled to limit the number of active users in the system. The flaw represents a critical access control bypass that undermines the intended security controls designed to prevent unauthorized user proliferation. When single sign on functionality is enabled alongside user caps, the system fails to properly validate whether the user limit has been reached before creating new user accounts through SSO mechanisms. This represents a direct violation of the principle of least privilege and authorization enforcement, where the system should reject user creation requests when the maximum user threshold is exceeded regardless of the authentication method used.

The technical implementation flaw stems from insufficient input validation and access control checks within the user creation workflow. Specifically, the SSO user creation process does not properly integrate with the existing user cap enforcement logic, allowing new accounts to be provisioned even when the system has reached its configured user limit. This vulnerability is categorized under CWE-639 Access Control Bypass Through User Enumeration, as it enables unauthorized user creation through bypassing the user limitation controls. The flaw exists at the application logic level where the system fails to perform proper authorization checks before user account creation, creating a pathway for attackers to circumvent administrative controls.

The operational impact of this vulnerability is significant for organizations relying on GitLab Enterprise Edition for code management and collaboration. Attackers could exploit this weakness to create unlimited user accounts beyond the configured user cap, potentially leading to resource exhaustion, unauthorized access to sensitive repositories, and bypass of audit controls. This vulnerability particularly affects organizations with strict user licensing requirements or those operating under limited user licenses where enforcement of user caps is critical. The ability to bypass user caps through SSO mechanisms undermines the organization's ability to control costs and maintain proper access governance, as unauthorized users could gain access to protected code repositories and development environments.

Organizations should immediately upgrade to GitLab versions that have addressed this vulnerability, specifically versions 13.11.7, 13.12.7, or 14.0.3 and later. The fix implements proper authorization checks within the SSO user creation flow to ensure that user caps are enforced regardless of the authentication method used. Security teams should also conduct immediate audits of their GitLab installations to verify that user cap settings are properly configured and monitor for unauthorized user account creation. The vulnerability aligns with ATT&CK technique T1078 Account Manipulation, where adversaries establish persistent access by creating new accounts that bypass existing access controls. Organizations should review their SSO configurations and user provisioning workflows to ensure proper integration with access control policies, and implement additional monitoring for suspicious user creation patterns that could indicate exploitation attempts.

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!