Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-3482: Release names visible in public projects despite release set as project members only (#377802) · Issues · GitLab.org / GitLab · GitLab

An improper access control issue in GitLab CE/EE affecting all versions from 11.3 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allowed an unauthorized user to see release names even when releases we set to be restricted to project members only

CVE
Open in Source
#js#git#auth

Skip to content

Open Issue created Oct 13, 2022 by GitLab SecurityBot@gitlab-securitybotReporter

Release names visible in public projects despite release set as project members only

HackerOne report #1725841 by ashish_r_padelkar on 2022-10-07, assigned to @cmaxim:

Report | Attachments | How To Reproduce

Report****Summary

Hello,

Release can be restricted for Only Project Members in project settings. This should ensure that no release information is visible outside team members.

However, anyone can see release names in public projects through tags page at https://gitlab.com/<NameSpace>/<ProjectName>/-/tags even when releases are set as project members only.

Steps to reproduce

1.As a project owner, set your project as public with Releases as Only Project Members at https://gitlab.com/<NameSpace>/<ProjectName>/edit#js-general-project-settings.

2.Now create a Release at https://gitlab.com/<NameSpace>/<ProjectName>/-/releases.

3.Access the https://gitlab.com/<NameSpace>/<ProjectName>/-/releases without authentication but you will get 404 as Release is only visible for Team members.

4.Now access tag page at https://gitlab.com/<NameSpace>/<ProjectName>/-/tags and you should see Release associated with the tags like below.

5.As repository is public, you are able to see tag page and tag page discloses the release names. This requires proper permission check.

Examples

You can see https://gitlab.com/groupnew321/projectbugs/-/tags release name visible for tag. Clicking on release will give you 404 page.

What is the current bug behavior?

Release names are disclosed in tag names despite release set as project members only.

What is the expected correct behavior?

Release names should not be visible for unauthenticated users when they are set as only project members

Output of checks

This bug happens on GitLab.com

Regards,
Ashish

Impact

Release names visible in public projects despite release set as project members only

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

  • Screen_Shot_2022-10-07_at_9.13.18_PM.png
  • Screen_Shot_2022-10-07_at_9.05.30_PM.png

Proposal

Add the proper permission check to the tag partial which is rendered server side.

Edited Oct 24, 2022 by Allen Cook

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE