GitLab 12.8.x before 12.8.6, when sign-up is enabled, allows remote attackers to bypass email domain restrictions within the two-day grace period for an unconfirmed email address.
Recent assessments:
ericalexanderorg at March 16, 2020 3:55pm UTC reported:
Not enough details to fully assess ATM but GitLab is signaling this is a high value vulnerability through: 1) Out of band critical release 2) Withholding details for 30 days (not sure theyβve ever done so).
wvu-r7 at June 09, 2020 10:52pm UTC reported:
Not enough details to fully assess ATM but GitLab is signaling this is a high value vulnerability through: 1) Out of band critical release 2) Withholding details for 30 days (not sure theyβve ever done so).
Assessed Attacker Value: 4
Assessed Attacker Value: 4Assessed Attacker Value: 3