CVE-2021-22240: 
GitLab vulnerability analysis and mitigation

Improper access control vulnerability (CVE-2021-22240) was discovered in GitLab Enterprise Edition (EE) affecting versions 13.11.6, 13.12.6, and 14.0.2. The vulnerability allows users to be created via single sign-on despite user cap being enabled (NVD).

The vulnerability has been assigned a CVSS v3.1 Base Score of 4.3 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N. The weakness is categorized as CWE-863 (Incorrect Authorization). The issue specifically occurs when the omniauthblockautocreatedusers setting is enabled but fails to properly enforce user creation restrictions through SSO (GitLab Issue).

When exploited, this vulnerability allows unauthorized user creation through single sign-on authentication, bypassing the configured user cap limitations. This could lead to exceeding licensed user limits and potentially impact resource allocation and access control mechanisms (NVD).

The vulnerability has been fixed in GitLab Enterprise Edition versions after 13.11.6, 13.12.6, and 14.0.2. Organizations should upgrade to the patched versions to prevent unauthorized user creation through SSO (NVD).