CVE-2022-1680 in Enterprise Edition
Summary
by MITRE • 06/06/2022
An account takeover issue has been discovered in GitLab EE affecting all versions starting from 11.10 before 14.9.5, all versions starting from 14.10 before 14.10.4, all versions starting from 15.0 before 15.0.1. When group SAML SSO is configured, the SCIM feature (available only on Premium+ subscriptions) may allow any owner of a Premium group to invite arbitrary users through their username and email, then change those users' email addresses via SCIM to an attacker controlled email address and thus - in the absence of 2FA - take over those accounts. It is also possible for the attacker to change the display name and username of the targeted account.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 06/08/2022
The vulnerability described in CVE-2022-1680 represents a critical account takeover flaw within GitLab Enterprise Edition that exploits the interaction between SAML SSO configuration and the SCIM feature. This vulnerability affects a broad range of GitLab versions including 11.10 through 14.9.4, 14.10 through 14.10.3, and 15.0 through 15.0.0, making it particularly dangerous as it impacts multiple release streams. The flaw specifically manifests when group-level SAML Single Sign-On is configured alongside the SCIM (System for Cross-domain Identity Management) functionality, which is restricted to Premium and higher subscription tiers. The core technical issue stems from insufficient validation of user invitations and identity management operations within the SCIM interface, creating a pathway for unauthorized privilege escalation.
The operational impact of this vulnerability is severe and directly enables unauthorized account takeover through a multi-stage attack vector. An attacker with access to a Premium group owner account can first invite arbitrary users using just usernames and email addresses, bypassing normal invitation restrictions. Following this initial compromise, the attacker can leverage the SCIM feature to modify the invited users' email addresses to attacker-controlled addresses, effectively hijacking their accounts. This process operates without requiring 2FA verification, which significantly amplifies the risk as it eliminates a critical security control. Additionally, the vulnerability allows modification of display names and usernames, enabling the attacker to completely reshape the compromised user identity within the system. This comprehensive control over user accounts creates opportunities for further attacks including privilege escalation, data exfiltration, and persistent access.
This vulnerability maps directly to CWE-862 (Missing Authorization) and CWE-306 (Missing Authentication for Critical Function) within the Common Weakness Enumeration framework, as it represents a failure in authorization controls for critical identity management functions. The attack pattern aligns with ATT&CK technique T1078.004 (Valid Accounts: Cloud Accounts) and T1531 (Account Access Removal), as it enables attackers to gain unauthorized access to legitimate user accounts through manipulation of identity management systems. The flaw demonstrates poor input validation and insufficient access controls in the SCIM implementation, allowing privilege escalation through the manipulation of user identity attributes. Security practitioners should note that this vulnerability requires no special privileges beyond those of a Premium group owner, making it particularly concerning as it can be exploited by users with relatively low-level access within the GitLab hierarchy.
The recommended mitigations for this vulnerability include immediate application of the patched versions of GitLab, specifically 14.9.5, 14.10.4, and 15.0.1, which contain the necessary fixes for the SCIM authorization controls. Organizations should also implement additional security measures including mandatory 2FA enforcement for all user accounts, regular monitoring of group membership changes, and audit logging of SCIM operations. Network segmentation and access controls should be reviewed to limit who can access Premium group features, while security teams should conduct comprehensive audits of SAML SSO configurations to identify potential exploitation vectors. The vulnerability underscores the importance of proper identity and access management controls, particularly in cloud-based collaboration platforms where identity federation and user provisioning features are commonly deployed.