Skip to content

H3-2022-0078

Unauthenticated Gitlab User Enumeration

Category SECURITY_MISCONFIGURATION
Base Score 5.0

Description

The Gitlab users can be enumerated without authentication when access is set to 'Public'.

Impact

An unauthenticated attacker can query the server and use the data returned to compile a list of known users to conduct further credential attacks with. Gitlab applications are likely targets of attackers due to the abundance of information and credentials stored on it.

References