Account take over via SCIM email change

Group administrator with group SSO enabled can take over any user account with known username and email via SCIM provisioning API. 2FA mitigates the impact.

Steps to reproduce:

provision a SCIM user using an existing user's username and email via POST /api/scim/v2/groups/:group_path/Users/ endpoint
update the SCIM provisioned user's email address via PATCH /api/scim/v2/groups/:group_path/Users/:id
confirm email sent to new email

Vulnerability found in https://gitlab.com/gitlab-com/gl-security/security-operations/sirt/operations/-/issues/2270.

Edited May 30, 2022 by Nick Malcolm