It has detected a security vulnerability in GitLab, an open-source software development platform that allows a remote threat actor to obtain sensitive information about users such as first name, last name, email, and password. Data breaches using this vulnerability enable threat actors to create a new username list (Combolist) based on GitLab installations and perform Brute Force attacks through this list.
The vulnerability tracked by code CVE-2021-4191 exists due to insufficient authentication checking when processing specific GitLab GraphQL API queries. As a result, a remote threat actor can exploit the vulnerability to gain unauthorized access to sensitive information in the system.
The vulnerability affects all GitLab Community Edition and Enterprise Editions 13.0.0 – 14.8.1 but was fixed in the last released version. In addition, another critical vulnerability tracked as CVE-2022-0735 is fixed with the released updates. Users using vulnerable GitLab versions are advised to apply the released updates immediately.