List of private projects exposed via CI/CD job list

While browsing the job list of a gitlab runner I use in one of my projects, I noticed that the job list also contains jobs of projects which are private and to which I don't have access.

(This report follows the Gitlab Hackerone template, as I first reported it there as Report #1977233; but the finding was out of scope for H1.)

Report

Summary

In the Jobs' list of a Gitlab runner, a list of private projects & their CI activity is visible. The currently logged-in user has no access to these projects, and has no other way to see/access them. This list thus leaks the existence, name, and activity of those projects.

Steps to reproduce

(This steps were performed on our local instance; the author of this report is a normal user and has no admin access to the instance.)

Prerequisite:

GitLab Enterprise Edition
shared Gitlab CI/CD runner used by (private) projects

create new group and an empty project in this group
in the project, go to: Settings → CI/CD
from "Other available runners:" select "Enable for this project" ("available_project_runners"; shared instance-wide runner?)
go to the newly created group → CI/CD → Runners
open the respective (shared) runner
open list of Jobs; this tab is even marked with a "Jobs in projects you have access to" tooltip
notice that the list contains job runs of private projects
open job/project to verify it is indeed private for the current user

Impact

User without privileges learns about existence, name, group, and (CI) activity in a private repo that uses the same runner.
In our case, we learned about the existence of a secret research project and that it is still active. We also learned the project's age, as the project name was prefixed with the year it was initialized.

(I did not check yet if the problem exists with other job lists as well.)

Examples

see screenshots attached

What is the current bug behavior?

list of secret projects is leaked to users
see screenshots attached

What is the expected correct behavior?

assumption:
- existence and name of private projects is a secret
  - as implied by hiding the projects in all other places, even returning 404 (instead of access denied) when trying to open it
- activities in private project (e.g., when and how often something is committed/build by CI) is a secret
expected behavior: not show existence and activity of private projects in the runner's job list
- as implied by "Jobs in projects you have access to." tooltip

Relevant logs and/or screenshots

see screenshots attached

Results of GitLab environment info

(the author of this report has no admin access to the gitlab instance or SSH access to the server)

GitLab Enterprise Edition 15.10.3-ee

Impact

Improper Access Control / Information leak:

User without privileges learns about existence, name, group, and (CI) activity in a private projects that use the same runner.
In our case, we learned about the existence of a secret research project and that it is still active. We also learned the project's age, as the project name was prefixed with the year it was initialized.