Access Token with read_user Scope Can Read Private Repo's Events

HackerOne report #718159 by ngalog on 2019-10-20, assigned to @cmaxim:

Summary

The description for read_user scope is as follow:

Grants read-only access to the authenticated user's profile through the /user API endpoint, which includes username, public email, and full name. Also grants access to read-only API endpoints under /users.

And I found that there is an indirect way to steal escape out of the /users API endpoints, and it is in users/:userid/events to collect user's private projects/groups events information

Steps to reproduce

Generate a read_user access token in https://gitlab.com/profile/personal_access_tokens, or use mine `[REDACTED]'
Make below request

GET /api/v4/users/2820780/events HTTP/1.1  
Host: gitlab.com  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:69.0) Gecko/20100101 Firefox/69.0  
content-type:application/json  
Accept: */*  
Accept-Language: en-US,en;q=0.5  
Private-Token: [REDACTED]-

You should see the endpoint contains information about my private project's event, project id -- 14827629. Including the private issue's title and comment and etc
But if you use the same token to make below request

GET /api/v4/projects/14827629/events HTTP/1.1  
Host: gitlab.com  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:69.0) Gecko/20100101 Firefox/69.0  
content-type:application/json  
Accept: */*  
Accept-Language: en-US,en;q=0.5  
Private-Token: [REDACTED]-

You will see the 403 forbidden error, meaning your access token is not privileged enough to see that information.
Now we have a self-contradicting siutation, although you can't see the event information in GET /api/v4/projects/14827629/events HTTP/1.1, you can see the event information in GET /api/v4/users/2820780/events HTTP/1.1
So this is what I meant by escaping the /users API endpoints and see information in projects endpoints

Impact

Read_user API access token can escalate to /projects or /groups

Examples

Given above

What is the current bug behavior?

Given above

What is the expected correct behavior?

should not return such private project's info in /users/:userid/events, just the same way gitlab didn't disclose the private project's information in /projects with just read_user scope access token

Relevant logs and/or screenshots

Output of checks

gitlab.com

Impact

See above

Edited Jul 04, 2022 by Costel Maxim