HomeUpdateUsers related data in the hands of hackers.

Users related data in the hands of hackers.


Last Updated on 05/03/2022 by Nidhi Khandelwal

Researchers have revealed details of a now-patched security flaw in GitLab, an open-source DevOps platform, that may allow a remote, unauthenticated attacker to recover user-related data.

Users related data in the hands of hackers. 1

The medium-severity problem, dubbed CVE-2021-4191 (CVSS score: 5.3), affects all versions of GitLab Community Edition and Enterprise Edition starting with 13.0, as well as all versions starting with 14.4 and previous to 14.8.

Jake Baines, a senior security researcher at Rapid7, is credited with discovering and disclosing the problem. GitLab major security releases 14.8.2, 14.7.4, and 14.6.5 delivered on February 25, 2022, following a responsible disclosure on November 18, 2021.

In a report published Thursday, Baines stated, “The vulnerability is the result of a missing authentication check while executing specific GitLab GraphQL API queries.” “This vulnerability allows an unauthenticated attacker to gather registered GitLab usernames, names, and email addresses from a remote location.”

If the API information leak is successfully exploited, hostile actors may be able to enumerate and assemble lists of genuine usernames belonging to a target, which can then be used as a stepping stone for brute-force attacks such as password guessing, password spraying, and credential stuffing.

Users related data in the hands of hackers. 2

“The information leak might also allow an attacker to construct a new username wordlist based on GitLab installs — not only from gitlab.com, but from the other 50,000 GitLab instances accessible through the internet,” Baines said.

Nidhi Khandelwal
Nidhi Khandelwal
Nidhi is a tech news/research contributor at TheDigitalHacker. She publishes about techno geopolitics, privacy, and data breach.
- Advertisment -[the_ad id="13487"]

Must Read

Why Have Scraper APIs Become So Popular?

Web scraping APIs existed as long as the web itself. However, the usage and functionality of scraping have shifted dramatically in the past few...