Skip to content
GitLab
Next
    • GitLab: the DevOps platform
    • Explore GitLab
    • Install GitLab
    • How GitLab compares
    • Get started
    • GitLab docs
    • GitLab Learn
  • Pricing
  • Talk to an expert
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
    Projects Groups Topics Snippets
  • Register
  • Sign in
  • GitLab GitLab
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
    • Locked files
  • Issues 54.9k
    • Issues 54.9k
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 1.5k
    • Merge requests 1.5k
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Artifacts
    • Schedules
    • Test cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Package Registry
    • Container Registry
    • Terraform modules
    • Model experiments
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • GitLab.orgGitLab.org
  • GitLabGitLab
  • Issues
  • #299333
Closed
Open
Issue created Jan 20, 2021 by GitLab SecurityBot@gitlab-securitybotReporter

Guest in private project can see CI/CD Analytics

HackerOne report #1074326 by ashish_r_padelkar on 2021-01-08, assigned to @dcouture:

Report | How To Reproduce

Report

Summary

Hello,

This is most probably documentation error but reporting this as you have mentioned in policy Reports about intended behavior resulting in an update of our documentation will be rewarded with a $100 bounty, as long as this update is security related.

As per document of user permission, https://docs.gitlab.com/ee/user/permissions.html, Guest should not be able to see View CI/CD analytics I think it is wrongly mentioned as guest can see CI/CD Analytics in private projects. Not too sure if there are any recent changes though but in any case, either document or code need fixing!

Steps to reproduce
  1. Login as guest in private project and you can see CI/CD Analytics option and can browse too!

Regards,
Ashish

Impact

Guest in private project can see CI/CD Analytics

How To Reproduce

Please add reproducibility information to this section:

Assignee
Assign to
Time tracking