Cube API key is leaked to Developers and higher in the same group
HackerOne report #2502047 by yvvdwf
on 2024-05-12, assigned to @ottilia_westerlund:
Report
Hello,
This code exposes cube_api_key
to members having at least developer
role.
Reproduce at gitlab.com
- As
maintainer
(orOwner
) of an existing project (or create a new project) which hasUltimate
plan:
- go to
Settings / Analytics / Data source
, then fill the form as you want
- As a project member which has
Developer
role:
- go to
Analyze / Analytics dashboards
- view source code of the page
- you should see
cube_api_key
value in the code
Impact
Expose cube_api_key
to other project members:
-
S:C
ascube_api_key
can be used to access to cube.dev data source -
PR:L
as a member havingDeveloper
role can access to
Best regards,
yvvdwf
How To Reproduce
Please add reproducibility information to this section: