Improper Access Control in GitLab EE Affects User Management
CVE-2021-22240

4.2MEDIUM

Key Information:

Vendor: Gitlab
Status: Gitlab Ee
Vendor: CVE Published:; 5 August 2021

Summary

An improper access control vulnerability in GitLab EE versions 13.11.6, 13.12.6, and 14.0.2 allows unauthorized user creation via single sign-on, even when user caps are enforced. This could potentially lead to security risks by allowing unauthorized access to the system.

Affected Version(s)

GitLab EE >=13.7, <13.11.6 < 13.7, 13.11.6

GitLab EE >=13.12, <13.12.6 < 13.12, 13.12.6

GitLab EE >=14.0, <14.0.2 < 14.0, 14.0.2

References

https://gitlab.com/gitlab-org/gitlab/-/issues/327641

x_refsource_MISC

https://hackerone.com/reports/1166566

x_refsource_MISC

https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE...

x_refsource_CONFIRM

CVSS V3.1

Score:

4.2

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Aug 5, 2021
Vulnerability Reserved
Jan 5, 2021

Credit

Thanks bingomzan for reporting this vulnerability through our HackerOne bug bounty program

.