Account take over vulnerability in GitLab EE - CVE-2022-1680 (rpm)ID: oval:org.secpod.oval:def:82141 | Date: (C)2022-07-15 (M)2023-08-03 |
Class: VULNERABILITY | Family: unix |
The host is installed with GitLab EE 11.10 prior to 14.9.5, 14.10 prior to 14.10.4, or 15.0 prior to 15.0.1 and is prone to an account take over vulnerability. A flaw is present in the application, which fails to handle unknown vectors. Successful exploitation allows any owner of a Premium group to invite arbitrary users through their username and email, then change those users email addresses via SCIM to an attacker controlled email address and thus - in the absence of 2FA - take over those accounts.