Information Disclosure in Issue and Merge Request Trackers
During an internal code review a critical vulnerability in the GitLab
Issue and Merge Request trackers was discovered. This vulnerability could
allow a user with access to assign ownership of an issue or merge request to
another user to disclose that user's private token, email token, email
address, and encrypted OTP secret. Reporter-level access to a GitLab project
is required to exploit this flaw.
SSRF when importing a project from a Repo by URL
GitLab instances that have enabled project imports using "Repo by URL"
were vulnerable to Server-Side Request Forgery attacks. By specifying a
project import URL of localhost an attacker could target services that are
bound to the local interface of the server. These services often do not
require authentication. Depending on the service an attacker might be able
craft an attack using the project import request URL.
Links in Environments tab vulnerable to tabnabbing
edio via HackerOne reported that user-configured Environment links
include target=_blank but do not also include rel: noopener
noreferrer. Anyone clicking on these links may therefore be subjected to
tabnabbing attacks where a link back to the requesting page is maintained
and can be manipulated by the target server.
Accounts with email set to "Do not show on profile" have addresses
exposed in public atom feed
Several GitLab users reported that even with "Do not show on profile"
configured for their email addresses those addresses were still being leaked
in Atom feeds if they commented on a public project.