CVE-2021-4191

Name of the Vulnerable Software and Affected Versions GitLab CE/EE versions 13.0 through 14.6.5 GitLab CE/EE versions 14.7 through 14.7.4 GitLab CE/EE versions 14.8 through 14.8.2

Description An issue has been discovered in GitLab CE/EE that may allow a remote, unauthenticated attacker to access user-related information. This issue affects private GitLab instances with restricted sign-ups, making them vulnerable to user enumeration through the GraphQL API. The vulnerability could potentially allow an attacker to gather registered usernames, names, and email addresses of GitLab users, which could then be used for subsequent attacks. Thousands of GitLab instances are affected.

Recommendations For versions 13.0 through 14.6.5, update to version 14.6.5 or later. For versions 14.7 through 14.7.4, update to version 14.7.4 or later. For versions 14.8 through 14.8.2, update to version 14.8.2 or later. As a temporary workaround, consider restricting access to the GraphQL API until a patch is applied.