Main Vulnerability Database Vulnerabilities #VU63924

#VU63924 Improper access control in GitLab Enterprise Edition - CVE-2022-1680

Published: June 2, 2022

Vulnerability identifier: #VU63924

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2022-1680

CWE-ID: CWE-284

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
GitLab Enterprise Edition

Software vendor:
GitLab, Inc

Description

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to an account takeover issue via the SCIM feature. A remote user can invite arbitrary users through their username and email, take over those accounts and change their display name and username.

Remediation

Install updates from vendor's website.

External links

https://about.gitlab.com/releases/2022/06/01/critical-security-release-gitlab-15-0-1-released/

#VU63924 Improper access control in GitLab Enterprise Edition - CVE-2022-1680

Description

Remediation

External links

Please verify you're human