Vulnerability feedback information visible in public projects
HackerOne report #490250 by ashish_r_padelkar
on 2019-02-02, assigned to estrike
:
Summary:
Hello,
There is a feature in project called Security Dashboard
which is not visible publicly. When you browse security dashboard, the following endpoint is requested in background
https://gitlab.com/<UserName>/<ProjectName>/vulnerability_feedback?category=dependency_scanning
This endpoint is also visible publicly which i think it should not because it reveals some important information.
Description:
This endpoint also works in following scenario
- When public projects have below settings
- Guest in private projects too able to see this information.
Steps To Reproduce:
- As a owner of public project set above settings shown in screen shot
- Now access the url with/without authentication or another user
https://gitlab.com/<UserName>/<ProjectName>/vulnerability_feedback?category=dependency_scanning
Regards,
Ashish
Impact
Public project reveals security related information to unauthorised users
Attachments
Warning: Attachments received through HackerOne, please exercise caution!