Skip to content

Confidential issue count exposed by group milestones

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

Originally reported via HackerOne

This issue falls under GitLab's out-of-scope category:

"Scenarios in which only the number of private objects is exposed, unless it can be used to extract any sensitive information contained in those objects."

Summary

We have a public group which will only have confidential issues. (It is public so the public will be able to open confidential issues.)

This group has milestones to facilitate planning.

https://example.com/groups/path_to_group/-/milestones) shows the count of complete issues without authentication, although those issues are confidential.

The individual milestone pages like https://example.com/groups/path_to_group/-/milestones/14 shows the count of issues in the burndown & burnup charts, again without authentication and the issues are confidential.

Steps to reproduce

  1. Create a public group
  2. Create a milestone in the group
  3. Create a public project within the group
  4. Create a confidential issue within the project, assigning it the group milestone
  5. Log out and go to the group milestone listing

Impact

While no issue content is exposed that I can see, the existence and count of confidential issues is exposed.

Examples

See summary

What is the current bug behavior?

The confidential issues are included in group milestone completion statistics and burndown/up charts

What is the expected correct behavior?

No trace of the confidential issues should be exposed

Relevant logs and/or screenshots

n/a

Output of checks

n/a

Results of GitLab environment info

Omnibus install:

System information
System:
Proxy:		no
Current User:	git
Using RVM:	no
Ruby Version:	3.2.5
Gem Version:	3.6.5
Bundler Version:2.6.5
Rake Version:	13.0.6
Redis Version:	7.0.15
Sidekiq Version:7.2.4
Go Version:	unknown

GitLab information
Version:	17.10.4-ee
Revision:	8809f9af4e0
Directory:	/opt/gitlab/embedded/service/gitlab-rails
DB Adapter:	PostgreSQL
DB Version:	14.17
URL:		[redacted]
HTTP Clone URL:	[redacted]
SSH Clone URL:	[redacted]
Elasticsearch:	yes
Geo:		yes
Geo node:	Primary
Using LDAP:	no
Using Omniauth:	yes
Omniauth Providers: jwt

GitLab Shell
Version:	14.41.0
Repository storages:
- default: 	unix:/var/opt/gitlab/gitaly/gitaly.socket
GitLab Shell path:		/opt/gitlab/embedded/service/gitlab-shell

Gitaly
- default Address: 	unix:/var/opt/gitlab/gitaly/gitaly.socket
- default Version: 	17.10.4
- default Git Version: 	2.48.1.gl1

Impact

Count of confidential issues assigned to a public group milestone is revealed

Edited by 🤖 GitLab Bot 🤖