CVE-2022-2326: 
GitLab vulnerability analysis and mitigation

CVE-2022-2326 affects GitLab CE/EE across multiple versions (before 15.0.5, 15.1 before 15.1.4, and 15.2 before 15.2.1). The vulnerability was discovered and reported by vaib25vicky through GitLab's HackerOne bug bounty program, and was publicly disclosed on July 28, 2022 (GitLab Release).

The vulnerability allows unauthorized access to private projects through email invites by exploiting unverified secondary email addresses. The core issue stems from GitLab's failure to properly validate email verification status when matching project invitations to user accounts. The vulnerability has been assigned a CVSS v3.1 base score of 8.1 HIGH (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N) by NIST, while GitLab assessed it as MEDIUM severity with a score of 6.4 (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N) (NVD Database).

The vulnerability enables attackers to gain unauthorized access to private projects by adding unverified email addresses of legitimate users to their accounts. This could lead to unauthorized access to sensitive project data and potential impersonation of legitimate company employees (GitLab Release).

The vulnerability has been patched in GitLab versions 15.2.1, 15.1.4, and 15.0.5. Organizations are strongly recommended to upgrade to these or newer versions immediately. GitLab.com has already been updated with the patched version (GitLab Release).