cbcvebase.
CVE-2021-4191
published 2022-03-28

CVE-2021-4191: An issue has been discovered in GitLab CE/EE affecting versions 13.0 to 14.6.5, 14.7 to 14.7.4, and 14.8 to 14.8.2. Private GitLab instances with restricted…

PriorityP179medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
80.00%
99.6th percentile
An issue has been discovered in GitLab CE/EE affecting versions 13.0 to 14.6.5, 14.7 to 14.7.4, and 14.8 to 14.8.2. Private GitLab instances with restricted sign-ups may be vulnerable to user enumeration to unauthenticated users through the GraphQL API.

Affected

9 ranges
VendorProductVersion rangeFixed in
debiangitlab< gitlab 15.10.8+ds1-2 (sid)gitlab 15.10.8+ds1-2 (sid)
gitlabgitlab
gitlabgitlab
gitlabgitlab
gitlabgitlab
gitlabgitlab>= 13.0.0 < 14.6.514.6.5
gitlabgitlab>= 14.7.0 < 14.7.414.7.4
gitlabgitlab>= 14.8 < 14.8.214.8.2
gitlabgitlab_ce

Detection & IOCsextracted from sources · hover to see the quote

url/api/graphql
command{"query":"...{\n users {\n nodes {\n id\n name\n username\n }\n }\n}","variables":null,"operationName":null}
othergid://
  • Detect unauthenticated POST requests to /api/graphql containing a 'users { nodes { id name username } }' query — the core exploitation pattern for this CVE.
  • A successful exploitation response will contain all four JSON keys: '"data"', '"users"', '"nodes"', '"id"', and the GitLab internal ID prefix 'gid://' in the response body.
  • Requests exploiting this vulnerability will include the Referer header pointing to the GraphQL explorer path: {{RootURL}}/-/graphql-explorer
  • The Metasploit auxiliary module 'scanner/http/gitlab_graphql_user_enum' can be used to confirm exploitation; monitor for its characteristic unauthenticated GraphQL enumeration requests.
  • Use the JSON extractor pattern '.data.users.nodes[].username' on GraphQL API responses to identify successful user enumeration data exfiltration.
  • ·Vulnerability only affects GitLab instances with restricted sign-ups enabled; publicly open instances may not expose the same risk surface.
  • ·Affected version range is broad: GitLab CE/EE 13.0 through 14.6.5, 14.7 through 14.7.4, and 14.8 through 14.8.2. Instances outside this range are not affected.

CVSS provenance

nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
osv5.3MEDIUM
vulncheck5.3MEDIUM
vendor_debian5.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.