Description

By using the graphql endpoint, it was possible to get list of all the Gitlab users. Therefore, this information can be used to conduct further attacks.

Remediation

Limit information exposed to anonymous users

References

GitLab GraphQL API

Related Vulnerabilities

Python Debugger Unauthorized Access Vulnerability

Full public read access Azure blob storage

WordPress Plugin YaySMTP-Simple WP SMTP Mail Information Disclosure (2.2)

WordPress Plugin Aspose PDF Exporter Arbitrary File Download (1.0)

PHP opcache-status page publicly accessible

Severity

Low

Classification

CWE-200 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Information Disclosure Configuration