Description

By using the graphql endpoint, it was possible to get list of all the Gitlab users. Therefore, this information can be used to conduct further attacks.

Remediation

Limit information exposed to anonymous users

References

GitLab GraphQL API

Related Vulnerabilities

Express running in development mode

WordPress Plugin BackupBuddy Information Disclosure (2.2.28)

WordPress Plugin Count per Day Information Disclosure (3.2.5)

PostgreSQL Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2017-15098)

Ruby Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2020-10933)

Severity

Low

Classification

CWE-200 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Information Disclosure Configuration