Sensitive information disclosure via value stream analytics controller (leaks undisclosed security vulnerabilities in Gitlab)
HackerOne report #2012073 by pwnie
on 2023-06-04, assigned to @ngeorge1:
Report | Attachments | How To Reproduce
Report
Summary
Sensitive information can be disclosed via the value stream analytics feature of Gitlab. Some examples are viewing a private repository's merge requests and confidential issues.
Steps to reproduce (Example attacks)
Viewing confidential issues
- Go to https://gitlab.com/gitlab-org/gitlab/-/value_stream_analytics?created_after=2023-05-06&created_before=2023-06-04&value_stream_id=3160&label_name[]=HackerOne&stage_id=12787&sort=end_event&direction=desc&page=1
- You can view undisclosed security issues for Gitlab
Viewing merge requests of a private repository
- Create a project and change the repository visibility to project members only
- Create a new branch and a new merge request
- Close that merge request
- Go to the value stream analytics page on a different account
- Create a new value stream with any name with the following settings:
- Wait for the merge request to appear in the new value stream and stage you just created
Impact
Information disclosure of critical nature, for example undisclosed security vulnerabilities. Since the information disclosed pertains to different components, I am marking the scope as changed
. For example I can use this bug to disclose every other vulnerability in Gitlab, and escalate from there.
What is the current bug behavior?
Value stream analytics controllers don't implement access control
What is the expected correct behavior?
Proper access control
Output of checks
This bug happens on GitLab.com
Impact
Information disclosure of critical nature, for example undisclosed security vulnerabilities. Since the information disclosed pertains to different components, I am marking the scope as changed
. For example I can use this bug to disclose every other vulnerability in Gitlab, and escalate from there.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
How To Reproduce
Please add reproducibility information to this section: