CASE: GITLAB GRAPHQL API USER ENUMERATION

The case

On November 18, 2021, a researcher at security company Rapid7 discovered a vulnerability (CVE-2021-4191) in Gitlab that allowed an unauthorised user to collect other users’ personal information. The vulnerability could allow a remote, unauthenticated attacker to collect registered GitLab usernames, names, and email addresses. Cybercriminals could use this information to conduct brute-force attacks, including password guessing, password spraying - trying usernames with common passwords – and credential stuffing - algorithmically trying usernames and passwords on different sites. The vulnerability affected GitLab versions since 13.0.

Following responsible disclosure, on February 25, 2022, GitLab published a fix for the vulnerability.

What we did

DIVD scanned the internet and found almost 14.000 vulnerable systems. DIVD notified the system owners and advised them to update to version 14.6.5, 14.7.4, or 14.8.2.

Besides CVE-2021-4191, the patch also fixes six other security flaws, one of which is rated as critical (CVE-2022-0735).

On July 1, 6.415 systems were still vulnerable and a notification was sent to the owners responsible for the vulnerable instances. After a final scan on August 31st, there were still 5.447 vulnerable systems left, but the case was closed.

What you can do

Update Gitlab to at least version 14.8.2, 14.7.4, and 14.6.5, see the release blog post.

Disabling public profiles is also an excellent mitigation against unauthenticated information gathering. To disable public profiles, go to the Admin Area -> General -> Visibility and access controls -> Restricted visibility levels. Then check the box next to “Public.” This should prevent anyone who isn’t logged in from seeing user profiles.

If you receive a notification, make sure the vulnerability described in that notification is patched. The notification will be sent along with a location and description of the vulnerability. If you have any questions regarding the mitigation of these vulnerabilities, feel free to reply to this email, and we’ll gladly help.

More information

• DIVD-2022-00015
• GitLab Critical Security Release: 14.8.2, 14.7.4, and 14.6.5
• The Hacker News: New Security Vulnerability Affects Thousands of Self-Managed GitLab Instances