A bug bounty researcher has been awarded $3000 for disclosing a security issue in GitLab leading to the exposure of private groups.
The report was made public on the HackerOne bug bounty platform on October 6.
Submitted by researcher Riccardo "rpadovani" Padovani on November 29, 2019, the GitLab issue is described as a failure to remove code from Elasticsearch API search results when transferring a public group to a private group.
Padovani said the medium-severity issue occurs when a project handler shifts a public group -- with public projects -- to private status. This should also mean that the code and wiki associated with the project should be locked down, but the security flaw ensured that this data could still be reached through search APIs.
CNET: Amazon doubles down on Echo home security. What to know
The bug bounty hunter described a scenario in which the improper access issue could be triggered:
"Alice creates the public group "Example", and a public project named "Example-project" inside the group. In the readme of the project, Alice writes "Example".
Now, Alice creates a private group called "private", and transfer all the "Example" group to the "private" group. If Bob (totally unrelated to Alice) searches for "Example" instance-wide, he will not find anything [... but if he] uses APIs, he will receive the results back with the information that should be private."
This also happens with wiki_blobs functionality. However, it is worth noting that the problem only occurs when transferring groups, rather than single projects.
TechRepublic: gitlab patches elasticsearch private group
