CVE-2021-4191

moderate-risk
Published 2022-03-28

An issue has been discovered in GitLab CE/EE affecting versions 13.0 to 14.6.5, 14.7 to 14.7.4, and 14.8 to 14.8.2. Private GitLab instances with restricted sign-ups may be vulnerable to user enumeration to unauthenticated users through the GraphQL API.

Do I need to act?

!
92.4% chance of exploitation in next 30 days
EPSS score — higher than 8% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.3/10 Medium
NETWORK / LOW complexity

Affected Products (2)

Affected Vendors

Gitlab

References (6)

Vendor Advisory https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-4191.json
Broken Link https://gitlab.com/gitlab-org/gitlab/-/issues/343898
Permissions Required https://hackerone.com/reports/1089609
Vendor Advisory https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-4191.json
Broken Link https://gitlab.com/gitlab-org/gitlab/-/issues/343898
Permissions Required https://hackerone.com/reports/1089609
48
/ 100
moderate-risk
Severity 21/34 · High
Exploitability 20/34 · Moderate
Exposure 7/34 · Low