Researchers have revealed details about a new security vulnerability in GitLab, an open-source DevOps software that could potentially allow a remote, unauthenticated attacker to obtain lists of web application users.
Vulnerability CVE-2021-4191 (CVSS score: 5.3) affects all versions of GitLab Community Edition and Enterprise Edition starting from 13.0, and all versions starting from 14.4 and up to 14.8.
The vulnerability was discovered by Jake Baines, senior security researcher at Rapid7. On February 25, 2022, fixes for self-managed servers were released as part of critical security releases GitLab 14.8.2, 14.7.4 and 14.6.5.
“The problem is related to the lack of authentication verification when executing certain GitLab GraphQL API requests,” Baines said in a report published Thursday. “A remote, unauthenticated attacker could exploit this vulnerability to collect registered GitLab usernames, names, and email addresses.”
Successful exploitation of the vulnerability can serve as a springboard for further brute force attacks, including password selection, password spraying and credential substitution.
“The information leak also potentially allows an attacker to create a new list of usernames based on GitLab installations – not only with gitlab.com [который исправлен на момент написания статьи], but also from other 50,000 GitLab instances available from the internet. Baines said.
In addition to CVE-2021-4191, the patch fixed six more security vulnerabilities, one of which is critical (CVE-2022-0735, CVSS score: 9.6). The vulnerability allows an unauthorized attacker to intercept GitLab Runner tokens used for authentication and authorize CI/CD jobs hosted on GitLab instances.