unathorized access to exposed grafana metrics
HackerOne report #674146 by d0xing
on 2019-08-14, assigned to jritchey
:
Summary
hi, recently I read your release notes
https://about.gitlab.com/2019/08/12/critical-security-release-gitlab-12-dot-1-dot-6-released
"Basic authentication and hard-coded admin credentials are now disabled by default in the bundled Grafana instance as part of the Omnibus-based GitLab packages"
"The Grafana dashboard, when accessed using the hard-coded credentials, allowed for a malicious user to view internal resources that are accessible by the host where the GitLab instance resides."
The issue where grafana can be accessed with admin:admin by default has been fixed but all the metrics are still exposed for unauthorized users under the following url/path.
<gitlab_instance_url>/-/grafana/metrics
Best regards,
d0xing
Impact
All self hosted gitlab instances using the new version (12.x) are exposing grafana/gitlab metrics to unauthorized users. An attacker can gain information about the infrastructure, server & http load, threads info and other metrics. Also this seems like an bad endpoint to expose by default publicly.
Security Issue
Security issue on dev.gitlab.org: https://dev.gitlab.org/gitlab/gitlabhq/issues/2942