cbcvebase.
CVE-2020-26413
published 2020-12-11

CVE-2020-26413: An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.4 before 13.6.2. Information disclosure via GraphQL results in user email…

PriorityP348medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EXPLOIT
EPSS
33.77%
98.2th percentile
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.4 before 13.6.2. Information disclosure via GraphQL results in user email being unexpectedly visible.

Affected

7 ranges
VendorProductVersion rangeFixed in
debiangitlab< gitlab 13.4.7-1 (sid)gitlab 13.4.7-1 (sid)
gitlabgitlab
gitlabgitlab>= 13.4.0 < 13.6.213.6.2
gitlabgitlab_ce
gitlabgitlab_ce_ee
gitlabgitlab_ce_ee
gitlabgitlab_ce_ee

Detection & IOCsextracted from sources · hover to see the quote

url/api/graphql
command{"query": "{\nusers {\nedges {\n node {\n username\n email\n avatarUrl\n status {\n emoji\n message\n messageHtml\n }\n }\n }\n }\n }", "variables": null, "operationName": null}
  • Detect exploitation attempts by monitoring POST requests to /api/graphql containing the 'users' query with 'email' field enumeration
  • Response body containing all three fields '"username":', '"avatarUrl":', and '"node":' together with HTTP 200 indicates successful information disclosure
  • Extract leaked user emails from GraphQL response using JSON path '.data.users.edges[].node.email'
  • Shodan/FOFA queries can be used to identify exposed GitLab instances as targets: search for http.title:"GitLab" or title="gitlab"
  • ·Vulnerability affects GitLab CE/EE versions 13.4 through 13.6.2 only; versions prior to 13.4 and 13.6.3+ are not affected
  • ·The GraphQL endpoint is unauthenticated (PR:N, UI:N per CVSS), meaning no credentials are required to exploit this information disclosure
  • ·High EPSS score (0.82145, 99.2nd percentile) indicates this CVE has a very high probability of exploitation in the wild

CVSS provenance

nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
osv5.3MEDIUM
vendor_debian5.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.