Issue ID visible for security vulnerabilities despite Only Project Members settings

HackerOne report #617341 by ashish_r_padelkar on 2019-06-17, assigned to jmatos_bgtvf:

Summary

Hello,

When below settings are in place for the issues, none of the issue related information should be visible publicly.

However, despite above settings, anyone can see issue ID associated with security vulnerabilities in pipelines.

Steps to reproduce

1. Set the public project with above settings i.e issues as Only Project Members and Pipelines as Everyone With Access

2. Create an issue for a security issue using Create issue button available from security vulnerability popup.

3. Now as any user(non member) visit the pipeline security tab and click on the available security issues. The popup will show the Issue ID for that security issue despite settings are in place.

Examples POC

You can visit my project here at https://gitlab.com/gitlabadminrsspl1111/thisispublicproject/pipelines/66301859/security and click on the available 2 vulnerabilities there. You should see the issue ID associated with it although you cant see the issues menu there!

What is the current bug behavior?

Issue ID visible which are associated with security vulnerabilities in pipelines

What is the expected correct behavior?

The issue ID should not be visible when issues are set as Only Project Members

Output of checks

This bug happens on GitLab.com and might be omnibus installations too!

Regards,
Ashish

Impact

Issue ID visible despite issues are set as Only Project Members in public projects in security vulnerabilities

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

• Screenshot_2019-06-17_at_20.47.10.png
• Screenshot_2019-06-17_at_20.52.03.png