CVE-2021-4191: 
GitLab vulnerability analysis and mitigation

CVE-2021-4191 is a vulnerability discovered in GitLab CE/EE affecting versions 13.0 to 14.6.5, 14.7 to 14.7.4, and 14.8 to 14.8.2. The vulnerability allows unauthenticated users to enumerate user information through the GraphQL API on private GitLab instances with restricted sign-ups (MITRE CVE, Rapid7 Blog).

The vulnerability stems from a missing authentication check when executing certain GitLab GraphQL API queries at the /api/graphql endpoint. The issue allows remote, unauthenticated attackers to collect registered GitLab usernames, names, and email addresses. The vulnerability has been assigned a CVSSv3 base score of 5.3 (Rapid7 Blog).

The information leak allows attackers to recover usernames, names, and sometimes email addresses of GitLab users. While seemingly low-stakes, this account discovery can be leveraged for various brute-force attacks, including password guessing, password spraying, and credential stuffing. The vulnerability could also be used to create username wordlists from both gitlab.com and approximately 50,000 other internet-accessible GitLab instances (Rapid7 Blog).

Organizations are advised to ensure their GitLab instances are not publicly accessible unless intended as a public resource. Users should update to the latest versions (14.8.2, 14.7.4, and 14.6.5). Additionally, disabling public profiles is recommended by going to Admin Area -> General -> Visibility and access controls -> Restricted visibility levels and checking the box next to 'Public' (Rapid7 Blog).