DIVD-2022-00015 - Unauthenticated user enumeration on GraphQL API
|Case lead||Martin van Wingerden|
|Versions||Versions starting from 13.0 and up to 14.8.2, 14.7.4, and 14.6.5|
|Recommendation||Patches are available from the vendor.|
|Workaround||disable public profiles|
|Last modified||09 Sep 2022 12:25|
On February 25, 2022, GitLab published a fix for CVE-2021-4191, which is an instance of CWE-359, “Exposure of Private Personal Information to an Unauthorized Actor.” The now-patched vulnerability affected GitLab versions since 13.0. The vulnerability is the result of a missing authentication check when executing certain GitLab GraphQL API queries. A remote, unauthenticated attacker can use this vulnerability to collect registered GitLab usernames, names, and email addresses.
What you can do
Update to 14.8.2, 14.7.4, and 14.6.5, see the release blog post
Disabling public profiles is also excellent mitigation against unauthenticated information gathering. To disable public profiles, go to the Admin Area -> General -> Visibility and access controls -> Restricted visibility levels. Then check the box next to “Public.” This should prevent anyone who isn’t logged in from seeing user profiles.
If you receive a notification, make sure the vulnerability described in that notification is patched. The notification will be sent along with a location and description of the vulnerability. If you have any questions regarding the mitigation of these vulnerabilities, feel free to reply to the email, and we’ll gladly help.
Fixes and patches provided by Gitlab
What we are doing
- We are scanning the internet for vulnerable GitLab servers, and will notify system owners via the listed abuse contacts.
|25 Feb 2022||GitLab reported about the vulnerability.|
|04 Mar 2022||DIVD starts OSINT research.|
04 Mar 2022-
31 Aug 2022
|DIVD scans the internet for vulnerable GitLab instances.|
|05 Mar 2022||DIVD starts identifying the owners.|
|07 Mar 2022||DIVD sends out the first notification to abuse mailboxes.|
|24 Mar 2022||DIVD sends out the second notification to abuse mailboxes.|
|27 Apr 2022||DIVD sends out the third notification to abuse mailboxes.|
|01 Jul 2022||DIVD sends out a final notification to abuse mailboxes.|