Skip to content
GitLab
Next
    • GitLab: the DevOps platform
    • Explore GitLab
    • Install GitLab
    • How GitLab compares
    • Get started
    • GitLab docs
    • GitLab Learn
  • Pricing
  • Talk to an expert
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
    Projects Groups Topics Snippets
  • Register
  • Sign in
  • GitLab GitLab
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
    • Locked files
  • Issues 54.9k
    • Issues 54.9k
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 1.5k
    • Merge requests 1.5k
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Artifacts
    • Schedules
    • Test cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Package Registry
    • Container Registry
    • Terraform modules
    • Model experiments
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • GitLab.orgGitLab.org
  • GitLabGitLab
  • Issues
  • #363058
Closed
Open
Issue created May 20, 2022 by Imre Farkas@ifarkas🔴Maintainer

Account take over via SCIM email change

Group administrator with group SSO enabled can take over any user account with known username and email via SCIM provisioning API. 2FA mitigates the impact.

Steps to reproduce:

  1. provision a SCIM user using an existing user's username and email via POST /api/scim/v2/groups/:group_path/Users/ endpoint
  2. update the SCIM provisioned user's email address via PATCH /api/scim/v2/groups/:group_path/Users/:id
  3. confirm email sent to new email

Vulnerability found in https://gitlab.com/gitlab-com/gl-security/security-operations/sirt/operations/-/issues/2270.

Edited May 30, 2022 by Nick Malcolm
Assignee
Assign to
Time tracking