DIVD-2022-00015 - Unauthenticated user enumeration on GraphQL API

Our reference DIVD-2022-00015
Case lead Martin van Wingerden
Author Mick Beer
Researcher(s)
CVE(s)
Product GitLab
Versions Versions starting from 13.0 and up to 14.8.2, 14.7.4, and 14.6.5
Recommendation Patches are available from the vendor.
Workaround disable public profiles
Status Closed
Last modified 09 Sep 2022 12:25

Summary

On February 25, 2022, GitLab published a fix for CVE-2021-4191, which is an instance of CWE-359, “Exposure of Private Personal Information to an Unauthorized Actor.” The now-patched vulnerability affected GitLab versions since 13.0. The vulnerability is the result of a missing authentication check when executing certain GitLab GraphQL API queries. A remote, unauthenticated attacker can use this vulnerability to collect registered GitLab usernames, names, and email addresses.

[source]

What you can do

Update to 14.8.2, 14.7.4, and 14.6.5, see the release blog post

Disabling public profiles is also excellent mitigation against unauthenticated information gathering. To disable public profiles, go to the Admin Area -> General -> Visibility and access controls -> Restricted visibility levels. Then check the box next to “Public.” This should prevent anyone who isn’t logged in from seeing user profiles.

If you receive a notification, make sure the vulnerability described in that notification is patched. The notification will be sent along with a location and description of the vulnerability. If you have any questions regarding the mitigation of these vulnerabilities, feel free to reply to the email, and we’ll gladly help.

Fixes and patches provided by Gitlab

What we are doing

Timeline

Date Description
25 Feb 2022 GitLab reported about the vulnerability.
04 Mar 2022 DIVD starts OSINT research.
04 Mar 2022-
31 Aug 2022		 DIVD scans the internet for vulnerable GitLab instances.
05 Mar 2022 DIVD starts identifying the owners.
07 Mar 2022 DIVD sends out the first notification to abuse mailboxes.
24 Mar 2022 DIVD sends out the second notification to abuse mailboxes.
27 Apr 2022 DIVD sends out the third notification to abuse mailboxes.
01 Jul 2022 DIVD sends out a final notification to abuse mailboxes.
gantt title DIVD-2022-00015 - Unauthenticated user enumeration on GraphQL API dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2022-00015 - Unauthenticated user enumeration on GraphQL API (180 days) :2022-03-04, 2022-08-31 section Events GitLab reported about the vulnerability. : milestone, 2022-02-25, 0d DIVD starts OSINT research. : milestone, 2022-03-04, 0d DIVD scans the internet for vulnerable GitLab instances. (180 days) : 2022-03-04, 2022-08-31 DIVD starts identifying the owners. : milestone, 2022-03-05, 0d DIVD sends out the first notification to abuse mailboxes. : milestone, 2022-03-07, 0d DIVD sends out the second notification to abuse mailboxes. : milestone, 2022-03-24, 0d DIVD sends out the third notification to abuse mailboxes. : milestone, 2022-04-27, 0d DIVD sends out a final notification to abuse mailboxes. : milestone, 2022-07-01, 0d

More information