Summary
A total of 8 CVE's have been issued by GitLab, which includes issues like Account takeover, XSS and Broken Access Control.
GitLab admin can form groups and invite people with existing accounts on GitLab to join with their email or username. This email of the invited user can be changed using SCIM feature (which is only available to the premium+ subscribers). Here a single vulnerability could result in:
- User account detail presumably changed in GitLab user database.
- User login with old/original email is no longer possible.
- Attacker can login to this account using new email.
- Attacker can change username and display name later, this would complete the account takeover process.
- Whatever groups the victim was part of using the orignal/old username and email, are now accessible to attacker using new email/username.
- GitLab Critical Security Release: 15.0.1, 14.10.4, and 14.9.5
- CERT IN Vulnerability Note CIVN-2022-0255
5 of the 8 issues reported were broken access control. Broken access controls is the most common vulnerability discovered during a penetration testing. There's a reason why it still has maintained it's position in OWASP Top 10, and most of these issues are a result of something very minor being missed in the codebase.
Even though the industry has started thinking that XSS is history, It still has a major impact and even found today in well reputed organisations like GitLab. It should not lose sight, and many of the applications out there still might be vulnerable to it.
Suggestion
You could enable the SSO for you GitLab account, so even if the attacker changes your email he would still not be able to login to your account. GitLab has recently release 15.0.1, 14.10.4, and 14.9.5. All of the version before 14.9.5 are at risk to these vulnerabilities, So we suggest upgrading to any higher version.
Resources
Authors: Narendra Kumawat, Mahesh Saptarshi
For more information contact:contact@cybersecurist.com