GitLab GraphQL API User Enumeration

Report DIVD-2022-00015 - GitLab GraphQL API User Enumeration

Written on 28 Nov 2022 by Gerard Janssen

Case lead: Martin van Wingerden
Researchers: Celistine Oosting , Victor Gevers , Mick Beer
Case file: DIVD-2022-00015

On November 18, 2021, a researcher at security company Rapid7 discovered a vulnerability (CVE-2021-4191) in Gitlab, that gave an unauthorized user the opportunity to collect the personal information of other users. GitLab is open-source DevOps software. The vulnerability could give a remote, unauthenticated attacker the possibility to collect registered GitLab usernames, names, and email addresses. Malicious actors could use this information to conduct brute-force attacks, including password guessing, password spraying - trying usernames with common passwords – and credential stuffing - algorithmically trying usernames and passwords on different sites. The vulnerability affected GitLab versions since 13.0.

Following responsible disclosure, on February 25, 2022, GitLab published a fix for the vulnerability. DIVD scanned the internet and found almost 14000 vulnerable systems. The DIVD notified the system owners and advised them to update to version 14.6.5, 14.7.4, or 14.8.2. Besides CVE-2021-4191 the patch also fixes six other security flaws, one of which is critical (CVE-2022-0735).

Disabling public profiles would also prevent unauthenticated information gathering.

On July 1, 6415 systems were still vulnerable and a notification was sent.

After a final scan on August 31st, there were still 5447 vulnerable systems left, but the case was closed.


Date Description
18 Nov 2022 Vulnerability CVE-2021-4191) discovered.
25 Feb 2022 GitLab reported the vulnerability.
04 Mar 2022 DIVD starts OSINT research.
04 Mar 2022-31 Aug 2022 DIVD scans the internet for vulnerable GitLab instances.
05 Mar 2022 DIVD starts identifying the owners.
07 Mar 2022 DIVD sends out the first notification to abuse mailboxes.
24 Mar 2022 DIVD sends out the second notification to abuse mailboxes.
27 Apr 2022 DIVD sends out the third notification to abuse mailboxes.
01 Jul 2022 DIVD sends out a final notification to abuse mailboxes.
31 Aug 2022 Case closed.