CVE-2021-22240

4.2MEDIUM

Key Information:

Vendor: Gitlab
Status: Gitlab Ee
Vendor: CVE Published:; 5 August 2021

Summary

Improper access control in GitLab EE versions 13.11.6, 13.12.6, and 14.0.2 allows users to be created via single sign on despite user cap being enabled

Affected Version(s)

GitLab EE >=13.7, <13.11.6 < 13.7, 13.11.6

GitLab EE >=13.12, <13.12.6 < 13.12, 13.12.6

GitLab EE >=14.0, <14.0.2 < 14.0, 14.0.2

References

https://gitlab.com/gitlab-org/gitlab/-/issues/327641

x_refsource_MISC

https://hackerone.com/reports/1166566

x_refsource_MISC

https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE...

x_refsource_CONFIRM

CVSS V3.1

Score:

4.2

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Aug 5, 2021
Vulnerability Reserved
Jan 5, 2021

Collectors

NVD DatabaseMitre Database

Credit

Thanks bingomzan for reporting this vulnerability through our HackerOne bug bounty program