Researchers have revealed details of a now patched security vulnerability in GitLab, an open-source DevOps software, that could potentially allow a remote, unauthenticated attacker to retrieve user-related information.
Tracked as CVE-2021-4191 (CVSS score: 5.3), the medium-severity flaw affects all versions of GitLab Community Edition and Enterprise Edition from 13.0 and all versions from 14.4 and earlier than 14.8.
Jake Baines, senior security researcher at Rapid7, is credited with discovering and reporting the flaw. Following the responsible disclosure on November 18, 2021, fixes were released as part of GitLab’s critical security releases 14.8.2, 14.7.4, and 14.6.5 shipping February 25, 2022.
“The vulnerability is the result of a missing authentication check when executing certain GitLab GraphQL API requests,” Baines said in a Thursday report. “A remote, unauthenticated attacker can use this vulnerability to harvest registered GitLab usernames, names, and email addresses.”
Successful exploitation of the API information leak could allow malicious actors to enumerate and compile lists of legitimate usernames belonging to a target which can then be used as a springboard to carry out attacks by brute force, including password guessing, password spraying, and credential stuffing.
“The information leak also potentially allows an attacker to create a new user wordlist based on GitLab installs – not only from gitlab.com but also from the other 50,000 GitLab instances accessible from Internet,” Baines said.
Apart from CVE-2021-4191, the patch also addresses six other security flaws, one of which is a critical issue (CVE-2022-0735, CVSS score: 9.6) that allows an unauthorized attacker to siphon tokens runner registration used to authenticate and authorize CI/CD jobs hosted on GitLab instances.