CVE-2021-22240

Description

Improper access control in GitLab EE versions 13.11.6, 13.12.6, and 14.0.2 allows users to be created via single sign on despite user cap being enabled

How to fix CVE-2021-22240

To remediate CVE-2021-22240, upgrade the affected package to a fixed version below.

Bitnami/gitlab—upgrade to 13.11.6 or later

Is CVE-2021-22240 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 13.7.0, < 13.11.6, >= 13.12.0, < 13.12.6, >= 14.0.0, < 14.0.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

References (4)

WEBgitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22240.json
WEBgitlab.com/gitlab-org/gitlab/-/issues/327641
WEBhackerone.com/reports/1166566
WEBnvd.nist.gov/vuln/detail/CVE-2021-22240