Vulnerability in GitLab’s API exposed confidential data
By Jeremy Carpenter, posted on 05 November 2018
Popular web-based repository manager GitLab has fixed a bug with its API which may have exposed confidential data about projects.
An insecure direct object reference within the GitLab Events API made information such as private notes, merge requests, and issues available.
In a post, GitLab Director of Security Kathy Wang wrote:
“We discovered that this exposure dates back to June 22, 2017, with the 9.3 release. GitLab’s Events API was returning private events related to projects that were marked as public during that time frame.
These events included information that was marked as private, such as confidential issues and private merge requests, among others. The issue was present in all versions of GitLab between 9.3 and 11.3, and across all deployments, including GitLab.com.
The exposure of these private events was present only through the API, whereas the UI behaved as-intended and filtered these events.”
GitLab has become increasingly popular since GitHub was acquired by Microsoft. Following the acquisition, the number of developers using GitLab’s tool for importing GitHub repositories spiked considerably.
The company investigated four months of GitLab’s retained logs following the discovery of the issue by HackerOne hacker ngalog. Fortunately, GitLab found no evidence that any unauthorised parties accessed confidential information.
“GitLab takes your information and your data extremely seriously and has more than quadrupled the size our internal security team in the last six months, with further plans to grow,” says Wang.
“We will learn from this incident and use it to improve upon our security posture even further.”
Eric Adams, March 19, 2019