Skip to the content.

DIVD-2022-00015 - Unauthenticated user enumeration on GraphQL API

Our reference DIVD-2022-00015
Case lead Martin van Wingerden
Author Mick Beer
Researcher(s)
CVE(s)
Product GitLab
Versions Versions starting from 13.0 and up to 14.8.2, 14.7.4, and 14.6.5
Recommendation Patches are available from the vendor.
Workaround disable public profiles
Status Open
Last modified 20 Jun 2022 07:35

Summary

On February 25, 2022, GitLab published a fix for CVE-2021-4191, which is an instance of CWE-359, “Exposure of Private Personal Information to an Unauthorized Actor.” The now-patched vulnerability affected GitLab versions since 13.0. The vulnerability is the result of a missing authentication check when executing certain GitLab GraphQL API queries. A remote, unauthenticated attacker can use this vulnerability to collect registered GitLab usernames, names, and email addresses.

[source]

What you can do

Update to 14.8.2, 14.7.4, and 14.6.5, see the release blog post

Disabling public profiles is also excellent mitigation against unauthenticated information gathering. To disable public profiles, go to the Admin Area -> General -> Visibility and access controls -> Restricted visibility levels. Then check the box next to “Public.” This should prevent anyone who isn’t logged in from seeing user profiles.

If you receive a notification, make sure the vulnerability described in that notification is patched. The notification will be sent along with a location and description of the vulnerability. If you have any questions regarding the mitigation of these vulnerabilities, feel free to reply to the email, and we’ll gladly help.

Fixes and patches provided by Gitlab

What we are doing

Timeline

Date Description
25 Feb 2022 GitLab reported about the vulnerability.
04 Mar 2022 DIVD starts OSINT research.
04 Mar 2022 DIVD starts scanning the internet for vulnerable GitLab instances.
05 Mar 2022 DIVD starts with identifying owners.
gantt title DIVD-2022-00015 - Unauthenticated user enumeration on GraphQL API dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2022-00015 - Unauthenticated user enumeration on GraphQL API (still open) :2022-03-04, 2022-07-01 section Events GitLab reported about the vulnerability. : milestone, 2022-02-25, 0d DIVD starts OSINT research. : milestone, 2022-03-04, 0d DIVD starts scanning the internet for vulnerable GitLab instances. : milestone, 2022-03-04, 0d DIVD starts with identifying owners. : milestone, 2022-03-05, 0d

More information