Thousands of GitLab instances are affected by a new security flaw.
Security researchers have revealed details of a now-patched security flaw in GitLab, an open-source DevOps platform, that may enable a remote, unauthenticated adversary to retrieve user-related data. The medium-severity vulnerability, dubbed CVE-2021–4191 (CVSS score: 5.3), impacts all versions of GitLab Community Edition and Enterprise Edition starting with 13.0, as well as all versions starting with 14.4 and previous to 14.8.
Jake Baines, a senior security researcher at Rapid7, is credited with discovering and reporting the problem. Updates were issued as part of GitLab critical security releases 14.8.2, 14.7.4, and 14.6.5 on February 25, 2022, following a responsible disclosure on November 18, 2021.
In a report released Thursday, Baines stated, “The vulnerability is the result of a missing authentication check while executing specific GitLab GraphQL API queries.” “This vulnerability allows a remote, unauthenticated attacker to gather registered GitLab usernames, names, and email addresses.”
If the API information leak is successfully exploited, hostile actors may be able to enumerate and assemble lists of…
