Cybersecurity researchers have revealed specifics of a now-patched security flaw in GitLab, an open-source DevOps platform. This vulnerability may allow a remote, unauthenticated attacker to retrieve user-related data.
It is a medium-severity flaw and tracked as CVE-2021-4191 (CVSS score of 5.3). This weakness affects all versions of GitLab Community Edition and Enterprise Edition starting with 13.0, as well as all versions starting with 14.4 and before 14.8.
Jake Baines, a senior security researcher at Rapid7, is credited with identifying and reporting the vulnerability. Patches were issued as part of GitLab critical security releases 14.8.2, 14.7.4, and 14.6.5 on February 25, 2022, after a responsible disclosure on November 18, 2021.
“The vulnerability is the result of a missing authentication check when executing certain GitLab GraphQL API queries,” Baines stated in a report released on Thursday. “A remote, unauthenticated attacker can use this vulnerability to collect registered GitLab usernames, names, and email addresses.”
Suppose the API information leak is successfully exploited. In that case, hostile actors can enumerate and assemble lists of genuine usernames belonging to a target, which may be used as a stepping stone for brute-force attacks such as password guessing, password spraying, and credential stuffing. According to Baines, the information breach might also allow an attacker to come up with a new username wordlist based on GitLab installations — not only from gitlab.com but also from the other 50,000 GitLab instances accessible through the internet.
The patch also fixes six other security weaknesses, one of which is a major flaw (CVE-2022-0735, CVSS score of 9.6) that allows an unauthorized attacker to steal the runner registration tokens needed to authenticate and approve CI/CD tasks hosted on GitLab instances.