QID 376486

Date Published: 2022-03-24

QID 376486: GitLab Unauthenticated User Enumeration on GraphQL API Vulnerability

GitLab, the software, is a web-based Git repository manager with wiki and issue tracking features.

The GitLab update fixes the following vulnerabilities:

CVE-2021-4191: Private GitLab instances with restricted sign-ups may be vulnerable to user enumeration by unauthenticated users through the GraphQL API.

Affected Version:
All versions from 13.0 prior to 14.6.5
All versions from 14.7 prior to 14.7.4
All versions from 14.8 prior to 14.8.2

On Successful exploitation Private GitLab instances with restricted sign-ups may be vulnerable to user enumeration by unauthenticated users through the GraphQL API.

CVSS V3 rated as Medium - 5.3 severity.

CVSS V2 rated as Medium - 5 severity.

Solution

The vendor has released patch, For more information please visit GitLab advisory

Vendor References

Gitlab-Advisory - about.gitlab.com/releases/2022/02/25/critical-security-release-gitlab-14-8-2-released/#unauthenticated-user-enumeration-on-graphql-api

CVEs related to QID 376486

CVE-2021-4191 |

Software Advisories

Advisory ID	Software	Component	Link
Gitlab-Advisory			about.gitlab.com/releases/2022/02/25/critical-security-release-gitlab-14-8-2-released/

By selecting these links, you may be leaving CVEreport webspace. We have provided these links to other websites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other websites that are more appropriate for your purpose. CVEreport does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, CVEreport does not endorse any commercial products that may be mentioned on these sites. Please address comments about any linked pages to [email protected].