CVE-2022-4331 in Enterprise Edition
Summary
by MITRE • 03/10/2023
An issue has been discovered in GitLab EE affecting all versions starting from 15.1 before 15.7.8, all versions starting from 15.8 before 15.8.4, all versions starting from 15.9 before 15.9.2. If a group with SAML SSO enabled is transferred to a new namespace as a child group, it's possible previously removed malicious maintainer or owner of the child group can still gain access to the group via SSO or a SCIM token to perform actions on the group.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 02/28/2025
This vulnerability resides in GitLab Enterprise Edition's group transfer functionality and SAML SSO access control mechanisms. The flaw manifests when a group with SAML Single Sign-On enabled is moved to a new namespace as a child group, creating a persistent access control issue that violates fundamental security principles. The vulnerability specifically affects versions from 15.1 through 15.7.7, 15.8 through 15.8.3, and 15.9 through 15.9.1, representing a significant window of affected releases that could expose organizations to unauthorized access. The root cause stems from improper access token handling during group transfer operations, where the system fails to properly invalidate or reassign SAML session tokens and SCIM access credentials when a group is moved to a new parent namespace. This represents a critical breakdown in the principle of least privilege and privilege separation, as users who were previously removed from a group can maintain access through their existing SAML sessions or SCIM tokens.
The technical implementation flaw involves the group transfer process not properly cleaning up or revoking existing SAML SSO sessions and SCIM tokens associated with the group being moved. When a group is transferred, the system should invalidate all existing access tokens and reassign permissions to the new namespace context. However, this validation process fails, allowing former maintainers or owners who previously had access to the group to continue operating under their existing SAML session or SCIM token credentials. The vulnerability is particularly concerning because it operates at the identity and access management layer, where SAML SSO tokens are typically long-lived and may persist beyond the immediate scope of the group transfer operation. This creates a scenario where malicious actors who were previously removed from a group can regain access through the existing SAML session or SCIM token without requiring re-authentication or new credential provisioning.
The operational impact of this vulnerability extends beyond simple unauthorized access to potentially enable privilege escalation and data compromise within the affected GitLab instance. An attacker who successfully exploits this vulnerability could perform administrative actions on the transferred group, including modifying project settings, adding or removing members, pushing code changes, or accessing sensitive repository contents. The vulnerability particularly affects organizations that rely heavily on SAML SSO for GitLab access, as these users often have elevated privileges and access to critical source code repositories. The persistence of access through SCIM tokens adds another dimension of risk, as these tokens are typically used for automated provisioning and synchronization of user accounts, potentially allowing attackers to maintain access even after manual removal from the group. This vulnerability directly relates to CWE-284, which addresses improper access control, and aligns with ATT&CK technique T1078.004 for Valid Accounts: Cloud Accounts, where attackers maintain access through legitimate but improperly revoked credentials.
Organizations should immediately upgrade to the patched versions of GitLab to resolve this vulnerability, as the remediation is straightforward through official patch releases. The recommended mitigation strategy involves implementing additional access control monitoring and regular token revocation procedures, particularly for groups that undergo namespace transfers. Security teams should also establish automated processes to invalidate SAML sessions and SCIM tokens when group ownership changes occur, ensuring proper access control enforcement. Regular security audits should include verification of group transfer operations and associated access token validity to prevent unauthorized persistence. The vulnerability highlights the importance of proper session management during namespace operations and demonstrates the critical need for comprehensive access control validation in identity and access management systems. Organizations should also consider implementing additional monitoring for group transfer activities and access pattern anomalies that could indicate exploitation attempts. This vulnerability serves as a reminder of the complex security implications that arise when identity management systems interact with resource management operations, particularly in environments where SAML SSO and automated provisioning mechanisms are extensively used.