GitLab patches Elasticsearch private group data leak bug


A bug bounty researcher has been awarded $3000 for disclosing a security issue in GitLab leading to the exposure of private groups. 

The report was made public on the HackerOne bug bounty platform on October 6. 

Submitted by researcher Riccardo “rpadovani” Padovani on November 29, 2019, the GitLab issue is described as a failure to remove code from Elasticsearch API search results when transferring a public group to a private group. 

Padovani said the medium-severity issue occurs when a project handler shifts a public group — with public projects — to private status. This should also mean that the code and wiki associated with the project should be locked down, but the security flaw ensured that this data could still be reached through search APIs. 

CNET: Amazon doubles down on Echo home security. What to know

The bug bounty hunter described a scenario in which the improper access issue could be triggered:

“Alice creates the public group “Example”, and a public project named “Example-project” inside the group. In the readme of the project, Alice writes “Example”.

Now, Alice creates a private group called “private”, and transfer all the “Example” group to the “private” group. If Bob (totally unrelated to Alice) searches for “Example” instance-wide, he will not find anything [… but if he] uses APIs, he will receive the results back with the information that should be private.”

This also happens with wiki_blobs functionality. However, it is worth noting that the problem only occurs when transferring groups, rather than single projects. 

TechRepublic: How to boost the effectiveness of your cybersecurity operations

GitLab triaged and accepted the report, awarding a bounty of $3000. A patch was issued in GitLab version 12.5.4. 

In April, the dev-ops platform awarded William Bowling $20,000 for disclosing a remote code execution (RCE) vulnerability. In March, the researcher made GitLab aware of critical validation issues in the Gitlab UploadsRewriter function which could be exploited to trigger a path traversal scenario, leading to RCE. 

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0


Don't forget to share

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *