CVE-2021-22251: 
GitLab vulnerability analysis and mitigation

Improper validation of invited users' email address in GitLab Enterprise Edition (EE) affecting all versions since 12.2 allowed projects to add members with email address domains that should have been blocked by group settings. The vulnerability was discovered in 2019 and was officially assigned CVE-2021-22251 on January 5, 2021, with public disclosure on August 23, 2021 (MITRE CVE, NVD).

The vulnerability stems from an implementation flaw in GitLab's domain restriction feature, which was designed to restrict group access to users with specific email domains. While the restriction worked at the group level, it failed to properly enforce these restrictions at the project level, allowing project maintainers to bypass the domain restrictions. The vulnerability has been assigned a CVSS v3.1 score of 4.3 (Medium) and a CVSS v2.0 score of 4.0 (Medium) (NVD).

The vulnerability allows unauthorized users with different email domains to be added to projects, even when group settings explicitly restrict membership to specific email domains. This bypasses the intended security controls and could potentially lead to unauthorized access to project resources (GitLab Issue).

The vulnerability was addressed in subsequent GitLab releases. Organizations using affected versions should upgrade to a patched version. As a temporary workaround, administrators should carefully monitor project-level member additions and implement additional access review processes (GitLab CVE).