DIVD-2022-00015 - Unauthenticated user enumeration on GraphQL API

Summary

On February 25, 2022, GitLab published a fix for CVE-2021-4191, which is an instance of CWE-359, “Exposure of Private Personal Information to an Unauthorized Actor.” The now-patched vulnerability affected GitLab versions since 13.0. The vulnerability is the result of a missing authentication check when executing certain GitLab GraphQL API queries. A remote, unauthenticated attacker can use this vulnerability to collect registered GitLab usernames, names, and email addresses.

[source]

What you can do

Update to 14.8.2, 14.7.4, and 14.6.5, see the release blog post

Disabling public profiles is also excellent mitigation against unauthenticated information gathering. To disable public profiles, go to the Admin Area -> General -> Visibility and access controls -> Restricted visibility levels. Then check the box next to “Public.” This should prevent anyone who isn’t logged in from seeing user profiles.

If you receive a notification, make sure the vulnerability described in that notification is patched. The notification will be sent along with a location and description of the vulnerability. If you have any questions regarding the mitigation of these vulnerabilities, feel free to reply to the email, and we’ll gladly help.

Fixes and patches provided by Gitlab

What we are doing

• We are scanning the internet for vulnerable GitLab servers, and will notify system owners via the listed abuse contacts.

Timeline

More information

• CVE
• GitLab Release Notes
• Rapid7 Blog about CVE-2021-4191