• Home
  • |
  • Blog
  • |
  • How To Fix CVE-2022-1680- A Critical Account Takeover Vulnerability In GitLab
How To Fix CVE-2022-1680- A Critical Account Takeover Vulnerability in GitLab

GitLab released security patches for eight vulnerabilities, of which the flaw tracked as CVE-2022-1680 is critical in severity. This is a critical flaw that could allow attackers to take over the accounts by updating the email address. The other seven vulnerabilities include two high, four medium, and one low vulnerability. GitLab released patches for all eight vulnerabilities as part of its monthly security update. According to GitLab, these vulnerabilities could allow the attackers to perform account takeover, sensitive information discloser, improper authorization, security bypass, and arbitrary code execution attacks on the vulnerable version of GitLab. This makes it important for GitLab administrators and responds to the vulnerabilities by applying the patches to their GitLab application as soon as possible. Let’s start this post with how to fix CVE-2022-1680, a critical account takeover vulnerability in GitLab, and let’s see how to fix the remaining seven vulnerabilities following that.

What Is GitLab?

GitLab is a web-based Git repository manager with a wiki and issue tracking features, using an open-source license, developed by GitLab Inc. GitLab offers git repository management, code reviews, issue tracking, activity feeds, and wikis. GitLab provides fine-grained access control, user management, five permission levels, and branch protection. With GitLab, you can have unlimited public and private repositories with community or developer editions. You can also do continuous integration and deployment with GitLab.

GitLab Community Edition (CE) is an open-source project under the MIT License. CE is for individual developers and small teams who want to self-host their own Git repositories. A notable instance of this is the Gitlab company, which offers a hosted version of GitLab CE as well as a commercial Enterprise Edition (EE). GitLab EE adds additional features on top of CE for larger deployments. Both editions are available under either a subscription or an annual contract.

List Of Vulnerabilities Fixed By GitLab:

  1. CVE-2022-1680: A Critical Account Takeover vulnerability in GitLab
  2. CVE-2022-1940: A Stored Cross-Site Scripting vulnerability in Jira integration in GitLab
  3. CVE-2022-1948: A Cross-Site Scripting vulnerability in quick actions in GitLab
  4. CVE-2022-1935: An incorrect authorization vulnerability in GitLab
  5. CVE2022-1936: An incorrect authorization vulnerability in GitLab
  6. CVE-2022-1944: An improper authorization in the Interactive Web Terminal in GitLab
  7. CVE-2022-1821: A parent group access vulnerability in GitLab
  8. CVE-2022-1783: A Group member lock bypass vulnerability in GitLab

Summary Of CVE-2022-1680:

This is a critical vulnerability with a CVSS score of 9.9. The flaw can be exploitable only when group SAML SSO is configured. This enables premium group owners to invite arbitrary users by username and email. Attackers exploit this SCIM feature and change the user’s email ID, display name, and username of the targeted account to take over the account.

It affects GitLab EE versions starting from 11.10 to 14.9.5, from 14.10 till 14.10.4, and from 15.0 to 15.0.1.

CVE IDCVE-2022-1680
CVSS Score9.9 Critical
VectorCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
DescriptionA Critical Account Takeover vulnerability in GitLab
Vulnerable Versions11.10 to 14.9.514.10 till 14.10.415.0 to 15.0.1

Summary Of CVE-2022-1940:

This is a High severity vulnerability with a CVSS score of 7.7. The flaw exists in Jira integration in GitLab EE. If you leave this vulnerability unpatched then it gives attackers to execute arbitrary JavaScript code in GitLab using specially crafted Jira Issues.

It affects GitLab EE versions starting from 13.11 to 14.9.5, from 14.10 till 14.10.4, and from 15.0 to 15.0.1.

CVE IDCVE-2022-1940
CVSS Score7.7 High
VectorCVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
DescriptionA Stored Cross-Site Scripting vulnerability in Jira integration in GitLab
Vulnerable Versions13.11 to 14.9.514.10 till 14.10.415.0 to 15.0.1

Summary Of CVE-2022-1948:

This is a High severity vulnerability with a CVSS score of 8.7. The flaw is due to the missing validation of input used in quick actions. The unsuccessful patch would lead to exploiting the flaw just by injecting HTML in contact details.

It affects GitLab all versions starting from 15.0 to 15.0.1.

CVE IDCVE-2022-1948
CVSS Score8.7 High
VectorCVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
DescriptionA Cross-Site Scripting vulnerability in quick actions in GitLab
Vulnerable Versions15.0 to 15.0.1

Summary Of CVE-2022-1935:

This is a Medium severity vulnerability with a CVSS score of 6.5. This flaw is due to incorrect authorization in GitLab EE. An unsuccessful patch could allow attackers to misuse a valid Project Trigger Token from any location even when IP address restrictions were configured.

It affects GitLab EE versions starting from 12.0 to 14.9.5, from 14.10 till 14.10.4, and from 15.0 to 15.0.1.

CVE IDCVE-2022-1935
CVSS Score6.5 Medium
VectorCVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
DescriptionAn incorrect authorization vulnerability in GitLab
Vulnerable Versions12.0 to 14.9.514.10 till 14.10.415.0 to 15.0.1

Summary Of CVE-2022-1936:

This is a Medium severity vulnerability with a CVSS score of 6.5. This flaw is due to incorrect authorization in GitLab EE. An unsuccessful patch could allow attackers to misuse a valid Project Deploy Token from any location even when IP address restrictions were configured.

It affects GitLab EE versions starting from 12.0 to 14.9.5, from 14.10 till 14.10.4, and from 15.0 to 15.0.1.

CVE IDCVE-2022-1936
CVSS Score6.5 Medium
VectorCVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
DescriptionAn incorrect authorization vulnerability in GitLab
Vulnerable Versions12.0 to 14.9.514.10 till 14.10.415.0 to 15.0.1

Summary Of CVE-2022-1944:

This is a Medium severity vulnerability with a CVSS score of 5.4. This flaw is due to Incorrect authorization in the Interactive Web Terminal in GitLab CE/EE. If you ignore patch this flaw, you may allow users with the Developer role to open terminals on other Developers’ running jobs.

It affects GitLab EE versions starting from 11.3 to 14.9.5, from 14.10 till 14.10.4, and from 15.0 to 15.0.1.

CVE IDCVE-2022-1944
CVSS Score5.4 Medium
VectorCVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N
DescriptionAn improper authorization in the Interactive Web Terminal in GitLab
Vulnerable Versions11.3 to 14.9.514.10 till 14.10.415.0 to 15.0.1

Summary Of CVE-2022-1821:

This is a Medium severity vulnerability with a CVSS score of 4.3. This flaw is a parent group access vulnerability in GitLab CE/EE. Ignorance of this flaw could allow them to access the member list of their parent group.

It affects GitLab EE versions starting from 10.8 to 14.9.5, from 14.10 till 14.10.4, and from 15.0 to 15.0.1.

CVE IDCVE-2022-1821
CVSS Score4.3 Medium
VectorCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
DescriptionA parent group access vulnerability in GitLab
Vulnerable Versions10.8 to 14.9.514.10 till 14.10.415.0 to 15.0.1

Summary Of CVE-2022-1783:

This is a Low severity vulnerability with a CVSS score of 2.7. This flaw is a Group member lock bypass vulnerability in GitLab CE/EE. Ignorance of this flaw could allow malicious group maintainers to add new members to a project within their group, through the REST API, even after their group owner enabled a setting to prevent members from being added to projects within that group.

It affects GitLab EE versions starting from 14.3 to 14.9.5, from 14.10 till 14.10.4, and from 15.0 to 15.0.1.

CVE IDCVE-2022-1783
CVSS Score2.7 Low
VectorCVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
DescriptionA Group member lock bypass vulnerability in GitLab
Vulnerable Versions14.3 to 14.9.514.10 till 14.10.415.0 to 15.0.1

How To Fix CVE-2022-1680- A Critical Account Takeover Vulnerability In GitLab?

GitLab responded these flaws by releasing security updates. All these vulnerabilities were fixed in versions 15.0.1, 14.10.4, and 14.9.5. We recommend you upgrade your GitLab to any of these versions to fix CVE-2022-1680 (A Critical Account Takeover Vulnerability in GitLab) including the other seven vulnerabilities.

Time needed: 10 minutes.

How to upgrade GitLab to the latest version?

GitLab upgradation process depends on the installation methods followed in your organization. GitLab officially supports four different ways of upgradation process:

1. Linux packages (Omnibus GitLab)
2. Source installations
3. Docker installations
4. Kubernetes (Helm) installations

  1. Create backup before the upgrade

    It is highly recommended to have a full up-to-date backup before you begin.

  2. Add GitLab official repositories

    1. gitlab/gitlab-ee: The full GitLab package contains all the Community Edition features plus the Enterprise Edition ones.
    2. gitlab/gitlab-ce: A stripped-down package that contains only the Community Edition features.
    3. gitlab/unstable: Release candidates and other unstable versions.
    4. gitlab/nightly-builds: Nightly builds.
    5. gitlab/raspberry-pi2: Official Community Edition releases built for Raspberry Pi packages.

    You can run this command to update the latest repositories if you have GitLab installed on your server.

    $ sudo apt update

  3. Upgrade GitLab to the latest version using the official repositories

    To upgrade to the latest GitLab version:

    # Ubuntu/Debian
    $ sudo apt upgrade gitlab-ee

    # RHEL/CentOS 6 and 7
    $ sudo yum upgrade gitlab-ee

    # RHEL/CentOS 8
    $ sudo dnf upgrade gitlab-ee

    # SUSE
    $ sudo zypper upgrade gitlab-ee

    Note: For the GitLab Community Edition, replace gitlab-ee with gitlab-ce.

  4. Upgrade GitLab to a specific version

    Use these commands with a version number to upgrade GitLab to a specific version.

    # Ubuntu/Debian
    $ sudo apt install gitlab-ee=<version>

    # RHEL/CentOS 6 and 7
    $ sudo yum install gitlab-ee-<version>

    # RHEL/CentOS 8
    $ sudo dnf install gitlab-ee-<version>

    # SUSE
    $ sudo zypper install gitlab-ee=<version>

  5. Upgrade GitLab using a manually-downloaded package

    After the package is downloaded, install it by using one of the following commands and replacing <package_name> with the package name you downloaded:

    # Debian/Ubuntu
    $ dpkg -i <package_name>

    # CentOS/RHEL
    $ rpm -Uvh <package_name>

    # SUSE
    $ zypper install <package_name>

We hope this post will help you know how to fix CVE-2022-1680, a critical account takeover vulnerability in GitLab. Please share this post and help to secure the digital world. Visit our social media page on FacebookLinkedInTwitterTelegramTumblr, & Medium and subscribe to receive updates like this.

About the author

Arun KL

Hi All, I am Arun KL, an IT Security Professional. Founder of “thesecmaster.com”. Enthusiast, Security Blogger, Technical Writer, Editor, Author at TheSecMaster. To know more about me. Follow me on LinkedIn

Leave a Reply

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Learn Something New with Free Email subscription

Email is also one of the ways to be in touch with us. Our free subscription plan offers you to receive post updates straight to your inbox.