Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2021-4191Improper Authentication in Gitlab

CWE-287Improper Authentication8 documents8 sources
Severity
5.3MEDIUMNVD
EPSS
92.3%
top 0.28%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
3
GitlabDebian GitlabGitlab CE
Timeline
PublishedMar 28
Latest updateMar 29

Description

An issue has been discovered in GitLab CE/EE affecting versions 13.0 to 14.6.5, 14.7 to 14.7.4, and 14.8 to 14.8.2. Private GitLab instances with restricted sign-ups may be vulnerable to user enumeration to unauthenticated users through the GraphQL API.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages5 packages

NVDgitlab/gitlab13.0.014.6.5+2
debiandebian/gitlab< gitlab 15.10.8+ds1-2 (sid)
CVEListV5gitlab/gitlab>=13.0, <14.6.5, >=14.7, <14.7.4, >=14.8, <14.8.2+2
gitlabgitlab/gitlab

🔴Vulnerability Details

3
GHSA
GHSA-m37q-w59j-4vr4: An issue has been discovered in GitLab CE/EE affecting versions 132022-03-29
OSV
CVE-2021-4191: An issue has been discovered in GitLab CE/EE affecting versions 132022-03-28
VulnCheck
GitLab CE/EE 13.0 to 14.6.5, 14.7 to 14.7.4, and 14.8 to 14.8.2 Unauthenticated User Enumeration2021

💥Exploits & PoCs

2
Nuclei
GitLab GraphQL API User Enumeration
Metasploit
GitLab GraphQL API User Enumeration

📋Vendor Advisories

2
GitLab
CVE-2021-4191: An issue has been discovered in GitLab CE/EE affecting versions 13.0 to 14.6.5, 14.7 to 14.7.4, and 14.8 to 14.8.2. Private GitLab instances with rest2022-03-28
Debian
CVE-2021-4191: gitlab - An issue has been discovered in GitLab CE/EE affecting versions 13.0 to 14.6.5, ...2021