On the most of pages related to Private projects, cache control is inadequate, so the contents of Private projects may leak to unauthorized users.
For visibility of projects, you can select
Among them, Private projects can only be viewed from project members. (In other words, it can not be viewed by who are not project members.)
In also GitLab Documentation, it is mentioned as follows:
Private projects can only be cloned and viewed by project members, ...
However, due to inadequate cache control on the most of pages related to Private projects, an attacker may view these contents using the 'Back' button in browser.
In addition, users without logging in can also exploit this problem.
Note: This issue supports all modern browsers.
Result: The content of the private project "PoC" is displayed without logging in.
This issue leads to information leakage.
Cache control is inadequate on the most pages related to Private projects.
Therefore, almost all contents of Private project may leak.
Although the exploitation needs physical access to the victim's PC, It is not very difficult to access someone's PC in the following scenes:
The examples of critical information that may leak are as follows:
Note: The official document specifies that they will not be viewed by unauthorized users.