GitLab - User Information Disclosure Via Open API Scanner
There is an user enumeration vulnerability via an incorrect authorisation check in Gitlab.
Short Info
Level
Medium
Single Scan
Single Scan
Can be used by
Asset Owner
Estimated Time
10 seconds
Time Interval
4 weeks
Scan only one
URL
Toolbox
-
Username enumeration is a type of vulnerability in web applications, where it is possible to find exact usernames or to confirm that a guessed (or leaked) username exists in the system based on system response.
The API users endpoint no longer requires authentication to fetch data on individual users. This allows fetching of user data on instances that do not allow public projects. Privately hosted instances (and dev) shouldn't allow unauthenticated requests to this endpoint.
