Account take over via SCIM email change
Group administrator with group SSO enabled can take over any user account with known username and email via SCIM provisioning API. 2FA mitigates the impact.
Steps to reproduce:
- provision a SCIM user using an existing user's username and email via
POST /api/scim/v2/groups/:group_path/Users/
endpoint - update the SCIM provisioned user's email address via
PATCH /api/scim/v2/groups/:group_path/Users/:id
- confirm email sent to new email
Vulnerability found in https://gitlab.com/gitlab-com/gl-security/security-operations/sirt/operations/-/issues/2270.
Edited by Nick Malcolm