CVE-2020-10535: 
GitLab vulnerability analysis and mitigation

GitLab versions 12.8.0 through 12.8.5 contained a vulnerability (CVE-2020-10535) that was disclosed on March 12, 2020. The vulnerability affected both GitLab Community Edition (CE) and Enterprise Edition (EE) when sign-up functionality was enabled. With the release of GitLab 12.8.0, a soft email confirmation sign-up flow was enabled by default, which introduced this security issue (GitLab Advisory).

The vulnerability allowed users to access GitLab instances for a two-day grace period with an unconfirmed email address. This implementation flaw received a CVSS v3.1 Base Score of 5.3 (Medium), with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N. The scoring indicates that the vulnerability is network-accessible, requires low attack complexity, needs no privileges or user interaction, and primarily affects integrity (NVD).

The primary impact of this vulnerability was that attackers could potentially bypass email domain restrictions during the two-day grace period given for unconfirmed email addresses. This could allow unauthorized access to GitLab instances that had specific email domain restrictions in place (GitLab Advisory).

GitLab addressed this vulnerability by releasing version 12.8.6 as a critical security update. Organizations were strongly recommended to upgrade their GitLab installations to version 12.8.6 immediately. The fix involved reverting the soft email confirmation sign-up flow that was introduced in version 12.8.0 (GitLab Advisory).

GitLab treated this as a critical security issue, releasing an out-of-band security update and initially withholding full vulnerability details for 30 days to protect users during the upgrade period (AttackerKB).