CVE-2022-1981 in Enterprise Edition
Summary
by MITRE • 07/01/2022
An issue has been discovered in GitLab EE affecting all versions starting from 12.2 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1. In GitLab, if a group enables the setting to restrict access to users belonging to specific domains, that allow-list may be bypassed if a Maintainer uses the 'Invite a group' feature to invite a group that has members that don't comply with domain allow-list.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 07/18/2022
This vulnerability in GitLab Enterprise Edition represents a critical access control bypass issue that undermines the security posture of organizations relying on domain-based user restrictions. The flaw exists in the group membership and invitation system where administrators can configure domain allow-lists to restrict user access to specific groups. When a maintainer utilizes the 'Invite a group' functionality, the system fails to properly validate whether all members of the invited group comply with the configured domain restrictions. This creates a pathway for unauthorized users to gain access to restricted group resources through legitimate invitation mechanisms.
The technical implementation of this vulnerability stems from insufficient input validation and access control checks within GitLab's group invitation workflow. The system correctly enforces domain restrictions for individual user invitations but fails to apply the same validation when processing group invitations. This discrepancy occurs because the invitation process does not recursively verify that all members of the target group meet the domain requirements established for the parent group. The vulnerability manifests when a maintainer invites a group that contains users from domains not included in the allow-list, effectively circumventing the intended security controls.
The operational impact of this vulnerability is significant for organizations that depend on domain-based access controls for security isolation and compliance requirements. Attackers or malicious insiders with maintainer privileges can exploit this weakness to grant access to restricted groups for users from unauthorized domains, potentially leading to data exposure, privilege escalation, or unauthorized access to sensitive project resources. This bypass affects all versions of GitLab EE from 12.2 through the affected releases, creating a substantial window of vulnerability for organizations that have not yet applied the necessary patches.
Organizations should immediately implement the available patches for GitLab versions 14.10.5, 15.0.4, and 15.1.1 to remediate this vulnerability. In the interim, administrators should consider implementing additional monitoring controls to detect suspicious group invitation activities and review existing group membership access controls. The vulnerability aligns with CWE-639 Access Control Bypass and relates to ATT&CK technique T1078 Valid Accounts, as it allows for unauthorized access through legitimate administrative functions. Security teams should also evaluate their current monitoring and alerting mechanisms to detect potential abuse of the group invitation feature and establish proper audit trails for all group membership changes.