A user with an unverified email address could request an access to domain restricted groups in GitLab EE 12.2 and later through 13.0.1
{ "cpes": [ "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "cpe:2.3:a:gitlab:gitlab:13.0.0:*:*:*:community:*:*:*", "cpe:2.3:a:gitlab:gitlab:13.0.0:*:*:*:enterprise:*:*:*", "cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*" ], "severity": "High" }