CVE-2021-39882: 
GitLab vulnerability analysis and mitigation

In all versions of GitLab CE/EE, a user enumeration vulnerability allowed anonymous users to use specific endpoints to retrieve information about any GitLab user by providing a user ID. The vulnerability was discovered internally by a GitLab team member and was assigned CVE-2021-39882. The issue was disclosed on October 5, 2021, and was patched in versions 14.3.1, 14.2.5, and 14.1.7 (GitLab Release).

The vulnerability was rated as medium severity with a CVSS v3.1 base score of 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N). The issue stemmed from improper access controls that allowed unauthenticated users to access the /api/v4/users/:id endpoint. Since user IDs were numeric and sequential, this made it possible to enumerate all GitLab users systematically (GitLab Issue).

The vulnerability allowed anonymous users to retrieve information about any GitLab user in the system, potentially exposing user data to unauthorized individuals. While the API endpoint for listing all users was properly restricted, the individual user lookup endpoint could be exploited to systematically enumerate and gather information about GitLab users (GitLab Release).

The vulnerability was fixed in GitLab versions 14.3.1, 14.2.5, and 14.1.7. Organizations were strongly recommended to upgrade to one of these versions immediately. The fix involved implementing proper authentication requirements for the affected API endpoints (GitLab Release).