CVE-2021-4191
published 2022-03-28CVE-2021-4191: An issue has been discovered in GitLab CE/EE affecting versions 13.0 to 14.6.5, 14.7 to 14.7.4, and 14.8 to 14.8.2. Private GitLab instances with restricted…
PriorityP179medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
80.00%
99.6th percentile
An issue has been discovered in GitLab CE/EE affecting versions 13.0 to 14.6.5, 14.7 to 14.7.4, and 14.8 to 14.8.2. Private GitLab instances with restricted sign-ups may be vulnerable to user enumeration to unauthenticated users through the GraphQL API.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | gitlab | < gitlab 15.10.8+ds1-2 (sid) | gitlab 15.10.8+ds1-2 (sid) |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | >= 13.0.0 < 14.6.5 | 14.6.5 |
| gitlab | gitlab | >= 14.7.0 < 14.7.4 | 14.7.4 |
| gitlab | gitlab | >= 14.8 < 14.8.2 | 14.8.2 |
| gitlab | gitlab_ce | — | — |
Detection & IOCsextracted from sources · hover to see the quote
command{"query":"...{\n users {\n nodes {\n id\n name\n username\n }\n }\n}","variables":null,"operationName":null}↗
- →Detect unauthenticated POST requests to /api/graphql containing a 'users { nodes { id name username } }' query — the core exploitation pattern for this CVE. ↗
- →A successful exploitation response will contain all four JSON keys: '"data"', '"users"', '"nodes"', '"id"', and the GitLab internal ID prefix 'gid://' in the response body. ↗
- →Requests exploiting this vulnerability will include the Referer header pointing to the GraphQL explorer path: {{RootURL}}/-/graphql-explorer ↗
- →The Metasploit auxiliary module 'scanner/http/gitlab_graphql_user_enum' can be used to confirm exploitation; monitor for its characteristic unauthenticated GraphQL enumeration requests. ↗
- →Use the JSON extractor pattern '.data.users.nodes[].username' on GraphQL API responses to identify successful user enumeration data exfiltration. ↗
- ·Vulnerability only affects GitLab instances with restricted sign-ups enabled; publicly open instances may not expose the same risk surface. ↗
- ·Affected version range is broad: GitLab CE/EE 13.0 through 14.6.5, 14.7 through 14.7.4, and 14.8 through 14.8.2. Instances outside this range are not affected. ↗
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
osv5.3MEDIUM
vulncheck5.3MEDIUM
vendor_debian5.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-m37q-w59j-4vr4: An issue has been discovered in GitLab CE/EE affecting versions 13
ghsa_unreviewed·2022-03-29
CVE-2021-4191 [MEDIUM] CWE-287 GHSA-m37q-w59j-4vr4: An issue has been discovered in GitLab CE/EE affecting versions 13
An issue has been discovered in GitLab CE/EE affecting versions 13.0 to 14.6.5, 14.7 to 14.7.4, and 14.8 to 14.8.2. Private GitLab instances with restricted sign-ups may be vulnerable to user enumeration to unauthenticated users through the GraphQL API.
OSV
CVE-2021-4191: An issue has been discovered in GitLab CE/EE affecting versions 13
osv·2022-03-28·CVSS 5.3
CVE-2021-4191 [MEDIUM] CVE-2021-4191: An issue has been discovered in GitLab CE/EE affecting versions 13
An issue has been discovered in GitLab CE/EE affecting versions 13.0 to 14.6.5, 14.7 to 14.7.4, and 14.8 to 14.8.2. Private GitLab instances with restricted sign-ups may be vulnerable to user enumeration to unauthenticated users through the GraphQL API.
VulnCheck
GitLab CE/EE 13.0 to 14.6.5, 14.7 to 14.7.4, and 14.8 to 14.8.2 Unauthenticated User Enumeration
vulncheck·2021·CVSS 5.3
CVE-2021-4191 [MEDIUM] GitLab CE/EE 13.0 to 14.6.5, 14.7 to 14.7.4, and 14.8 to 14.8.2 Unauthenticated User Enumeration
GitLab CE/EE 13.0 to 14.6.5, 14.7 to 14.7.4, and 14.8 to 14.8.2 Unauthenticated User Enumeration
An issue has been discovered in GitLab CE/EE affecting versions 13.0 to 14.6.5, 14.7 to 14.7.4, and 14.8 to 14.8.2. Private GitLab instances with restricted sign-ups may be vulnerable to user enumeration to unauthenticated users through the GraphQL API.
Affected: GitLab gitlab
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-14&host_type=src&vulnerability=cve-2021-4191; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-19&host_type=src&vulne
GitLab
CVE-2021-4191: An issue has been discovered in GitLab CE/EE affecting versions 13.0 to 14.6.5, 14.7 to 14.7.4, and 14.8 to 14.8.2. Private GitLab instances with rest
vendor_gitlab·2022-03-28·CVSS 5.3
CVE-2021-4191 [MEDIUM] CVE-2021-4191: An issue has been discovered in GitLab CE/EE affecting versions 13.0 to 14.6.5, 14.7 to 14.7.4, and 14.8 to 14.8.2. Private GitLab instances with rest
CVE-2021-4191: An issue has been discovered in GitLab CE/EE affecting versions 13.0 to 14.6.5, 14.7 to 14.7.4, and 14.8 to 14.8.2. Private GitLab instances with restricted sign-ups may be vulnerable to user enumeration to unauthenticated users through the GraphQL API.
Debian
CVE-2021-4191: gitlab - An issue has been discovered in GitLab CE/EE affecting versions 13.0 to 14.6.5, ...
vendor_debian·2021·CVSS 5.3
CVE-2021-4191 [MEDIUM] CVE-2021-4191: gitlab - An issue has been discovered in GitLab CE/EE affecting versions 13.0 to 14.6.5, ...
An issue has been discovered in GitLab CE/EE affecting versions 13.0 to 14.6.5, 14.7 to 14.7.4, and 14.8 to 14.8.2. Private GitLab instances with restricted sign-ups may be vulnerable to user enumeration to unauthenticated users through the GraphQL API.
Scope: local
sid: resolved (fixed in 15.10.8+ds1-2)
No detection rules found.
Nuclei
GitLab GraphQL API User Enumeration
nuclei·CVSS 5.3
CVE-2021-4191 [MEDIUM] GitLab GraphQL API User Enumeration
GitLab GraphQL API User Enumeration
An unauthenticated remote attacker can leverage this vulnerability to collect registered GitLab usernames, names, and email addresses.
Template:
id: CVE-2021-4191
info:
name: GitLab GraphQL API User Enumeration
author: zsusac
severity: medium
description: An unauthenticated remote attacker can leverage this vulnerability to collect registered GitLab usernames, names, and email addresses.
impact: |
An attacker can enumerate valid usernames, which can be used for further attacks such as brute-forcing passwords or launching targeted phishing campaigns.
remediation: |
Implement rate limiting or CAPTCHA on the GraphQL API to prevent user enumeration.
reference:
- https://www.rapid7.com/blog/post/2022/03/03/cve-2021-4191-gitlab-graphql-api-user-enumeration
Metasploit
GitLab GraphQL API User Enumeration
metasploit·CVSS 5.3
CVE-2021-4191 [MEDIUM] GitLab GraphQL API User Enumeration
GitLab GraphQL API User Enumeration
This module queries the GitLab GraphQL API without authentication to acquire the list of GitLab users (CVE-2021-4191). The module works on all GitLab versions from 13.0 up to 14.8.2, 14.7.4, and 14.6.5.
No writeups or analysis indexed.
https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-4191.jsonhttps://gitlab.com/gitlab-org/gitlab/-/issues/343898https://hackerone.com/reports/1089609https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-4191.jsonhttps://gitlab.com/gitlab-org/gitlab/-/issues/343898https://hackerone.com/reports/1089609
2022-03-28
Published
Exploited in the wild