GitLab object reference (issue, MR, epic or any other object) is exposed in a markdown link title
HackerOne report #2774817 by mateuszek on 2024-10-10, assigned to @ngeorge1:
Report | Attachments | How To Reproduce
Report
1. Description:
I found a scenario where unauthorized actor has access to read confidential incidents in Gitlab Wiki by Wiki History Diff feature
2. Scenario:
2.1. Actors:
User A - private group A owner and private project A owner (project inside group A)
User B - private group A guest and private project A guest (project inside group A)
2.2. Steps:
- User A - in the PoC private project A create a confidential incident (
Plan->Issues) - User A - in the PoC private project A create a specific Wiki page (
Plan->Wiki->New page)
You need to use the plain text editor of the Content and in Content add Add a link and add the link to the confidential incident
It should look like on the [screenshot1.png]
Now, click Create page
3. User A - now, click Edit (edit that page), click Switch to rich text editing and add something e.g.: test below the url
[screenshot2.png]
[screenshot3.png]
Then click Save changes
- User B - go to PoC Wiki page and notice that you don't see the title of the linked confidential incident - expected behaviour
- User B - in the PoC Wiki page click three dots and then choose
Page historythen chooseDiffnext to versionv2
[screenshot4.png]
- User B - notice that in the Diff view there is visible for you the title of the PoC confidential incident - Privileges escalation to read confidential incidents by unauthorized actor in Gitlab Wiki by Wiki History Diff feature
[screenshot5.png]
3. Additional infomration:
I recorded the PoC video where I show everything step by step - video1.mp4
Best regards,
Mateusz
Impact
- Privileges escalation to read confidential incidents by unauthorized actor in Gitlab Wiki by Wiki History Diff feature
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
How To Reproduce
Please add reproducibility information to this section: