HomeUpdateUsers related data in the hands of hackers.

Users related data in the hands of hackers.


Last Updated on 05/03/2022 by Nidhi Khandelwal

Researchers have revealed details of a now-patched security flaw in GitLab, an open-source DevOps platform, that may allow a remote, unauthenticated attacker to recover user-related data.

Users related data in the hands of hackers. 1

The medium-severity problem, dubbed CVE-2021-4191 (CVSS score: 5.3), affects all versions of GitLab Community Edition and Enterprise Edition starting with 13.0, as well as all versions starting with 14.4 and previous to 14.8.

Jake Baines, a senior security researcher at Rapid7, is credited with discovering and disclosing the problem. GitLab major security releases 14.8.2, 14.7.4, and 14.6.5 delivered on February 25, 2022, following a responsible disclosure on November 18, 2021.

In a report published Thursday, Baines stated, “The vulnerability is the result of a missing authentication check while executing specific GitLab GraphQL API queries.” “This vulnerability allows an unauthenticated attacker to gather registered GitLab usernames, names, and email addresses from a remote location.”

If the API information leak is successfully exploited, hostile actors may be able to enumerate and assemble lists of genuine usernames belonging to a target, which can then be used as a stepping stone for brute-force attacks such as password guessing, password spraying, and credential stuffing.

Users related data in the hands of hackers. 2

“The information leak might also allow an attacker to construct a new username wordlist based on GitLab installs — not only from gitlab.com, but from the other 50,000 GitLab instances accessible through the internet,” Baines said.

Nidhi Khandelwal
Nidhi Khandelwal
Nidhi is a tech news/research contributor at TheDigitalHacker. She publishes about techno geopolitics, privacy, and data breach.
- Advertisment -

Must Read

Hitachi Energy got hacked, and they aren’t disclosing enough details.

Hitachi Energy, a global technology and infrastructure company, has recently confirmed that it suffered a data breach due to cyberattacks from the Clop and...