HomeUpdateUsers related data in the hands of hackers.

Users related data in the hands of hackers.


Last Updated on 05/03/2022 by Nidhi Khandelwal

Researchers have revealed details of a now-patched security flaw in GitLab, an open-source DevOps platform, that may allow a remote, unauthenticated attacker to recover user-related data.

Users related data in the hands of hackers. 1

The medium-severity problem, dubbed CVE-2021-4191 (CVSS score: 5.3), affects all versions of GitLab Community Edition and Enterprise Edition starting with 13.0, as well as all versions starting with 14.4 and previous to 14.8.

Jake Baines, a senior security researcher at Rapid7, is credited with discovering and disclosing the problem. GitLab major security releases 14.8.2, 14.7.4, and 14.6.5 delivered on February 25, 2022, following a responsible disclosure on November 18, 2021.

In a report published Thursday, Baines stated, “The vulnerability is the result of a missing authentication check while executing specific GitLab GraphQL API queries.” “This vulnerability allows an unauthenticated attacker to gather registered GitLab usernames, names, and email addresses from a remote location.”

If the API information leak is successfully exploited, hostile actors may be able to enumerate and assemble lists of genuine usernames belonging to a target, which can then be used as a stepping stone for brute-force attacks such as password guessing, password spraying, and credential stuffing.

Users related data in the hands of hackers. 2

“The information leak might also allow an attacker to construct a new username wordlist based on GitLab installs — not only from gitlab.com, but from the other 50,000 GitLab instances accessible through the internet,” Baines said.

Nidhi Khandelwal
Nidhi Khandelwal
Nidhi is a tech news/research contributor at TheDigitalHacker. She publishes about techno geopolitics, privacy, and data breach.
- Advertisment -

Must Read

Data Science Drives Personalized Marketing and Customer Engagement to New Heights...

Personalized marketing and customer engagement are crucial for businesses to thrive in the current digital era. Because data science makes it possible for marketers...