Vulnerability feedback information visible in public projects

HackerOne report #490250 by ashish_r_padelkar on 2019-02-02, assigned to estrike:

Summary:
Hello,

There is a feature in project called Security Dashboard which is not visible publicly. When you browse security dashboard, the following endpoint is requested in background

https://gitlab.com/<UserName>/<ProjectName>/vulnerability_feedback?category=dependency_scanning

This endpoint is also visible publicly which i think it should not because it reveals some important information.

Description:
This endpoint also works in following scenario

1. When public projects have below settings

2. Guest in private projects too able to see this information.

Steps To Reproduce:

1. As a owner of public project set above settings shown in screen shot
2. Now access the url with/without authentication or another user https://gitlab.com/<UserName>/<ProjectName>/vulnerability_feedback?category=dependency_scanning

Regards,
Ashish

Impact

Public project reveals security related information to unauthorised users

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

• Screenshot_2019-02-02_at_13.18.31.png