:warning: **Please read [the process](https://gitlab.com/gitlab-org/release/docs/-/blob/master/general/security/developer.md) on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.** **[HackerOne report #2079374](https://hackerone.com/reports/2079374)** by `ashish_r_padelkar` on 2023-07-21, assigned to `GitLab Team`: [Report](#report) | [How To Reproduce](#how-to-reproduce) ## Report ##### Summary Hello, I reported similar issue here #1824226 which is fixed few months back and i see similar issue exists at different endpoint too. `Releases` can be restricted for `Only Project Members` in project settings. This should ensure that no release information is visible outside team members. However, anyone can see release `Description` in public projects through tags endpoint `/-/tags?format=atom` at `https://gitlab.com/<Namespace>/<projectName>/-/tags?format=atom` even when releases are set as project members only. ##### Steps to reproduce 1.As a project owner, set your project as public with `Releases` as `Only Project Members` at `https://gitlab.com/<NameSpace>/<ProjectName>/edit#js-general-project-settings`. 2.Now create a `Release` at `https://gitlab.com/<NameSpace>/<ProjectName>/-/releases`. Put something important within Description field for eg `THIS_IS_IMPORTANT_RELEASE_DESCRIPTION`. 3.Access the `https://gitlab.com/<NameSpace>/<ProjectName>/-/releases` without authentication but you will get 404 as Release is only visible for Team members. 4.Now visit `https://gitlab.com/<NameSpace>/<ProjectName>/-/tags` but you will see Tags but no release information here too. 5.Now append `?format=atom` to the end of above URL. For eg `https://gitlab.com/<NameSpace>/<ProjectName>/-/tags?format=atom`. In response, you should see Release Description `THIS_IS_IMPORTANT_RELEASE_DESCRIPTION` which you shouldnt!. ##### Examples You can visit my test project at `https://gitlab.com/groupjulypremium2023/project_july2023/-/tags`. You will see tags but no release information. Now visit `https://gitlab.com/groupjulypremium2023/project_july2023/-/tags?format=atom` and you should find `Release_1234 ` in response which is description of one of my release which you shouldnt see. ##### What is the current *bug* behavior? Release Description are disclosed in tag atom response endpoint despite release set as project members only. ##### What is the expected *correct* behavior? Release Description should not be visible for unauthenticated users when they are set as only project members ##### Output of checks This bug happens on GitLab.com `GitLab Enterprise Edition 16.3.0-pre f7d52011546` Regards, Ashish #### Impact Release Description visible in public projects despite release set as project members only ## How To Reproduce Please add [reproducibility information] to this section: 1. 1. 1. [reproducibility information]: https://about.gitlab.com/handbook/engineering/security/#reproducibility-on-security-issues