Unauthorized users may be able to view almost all informations related to Private projects.
State Resolved (Closed)
Disclosed publicly 2018-12-03T22:15:29.740Z
Reported To
Weakness Information Disclosure

submitted a report to GitLab .

On the most of pages related to Private projects, cache control is inadequate, so the contents of Private projects may leak to unauthorized users.

For visibility of projects, you can select Public, Internal, and Private.
Among them, Private projects can only be viewed from project members. (In other words, it can not be viewed by who are not project members.)
In also GitLab Documentation, it is mentioned as follows:

Private projects can only be cloned and viewed by project members, ...

However, due to inadequate cache control on the most of pages related to Private projects, an attacker may view these contents using the 'Back' button in browser.
In addition, users without logging in can also exploit this problem.

Note: This issue supports all modern browsers.

Steps To Reproduce:

  1. Sign in to GitLab.
  2. Click the "[+]" icon.
  3. Click "New Project".
  4. Fill out "Project name" form with "PoC".
  5. Check the check box of "Private".
  6. Click "Create project" button.
  7. Sign out from Gitlab.
  8. Hit the "Back" button in browser.

Result: The content of the private project "PoC" is displayed without logging in.


This issue leads to information leakage.
Cache control is inadequate on the most pages related to Private projects.
Therefore, almost all contents of Private project may leak.

Although the exploitation needs physical access to the victim's PC, It is not very difficult to access someone's PC in the following scenes:

  • Office scenario
  • Laptop case

The examples of critical information that may leak are as follows:

  • List of file names
  • Source code
  • Commit log
  • Issues
  • Contents of the wiki

Note: The official document specifies that they will not be viewed by unauthorized users.


  • 0 attachments:
jritchey Activities::Comment
Hi @8ayac , Thank you for submitting this report. We are currently investigating the issue. Due to our current workload, we will get back within the next week with an update. Best regards, James

dappelt Activities::Comment
Hi @8ayac, I could reproduce the described behavior. We are working internally on resolving the issue at https://gitlab.com/gitlab-org/gitlab-ce/issues/51423. The issue will be made public 30 days after a patch has been released. We will keep you updated on our progress via HackerOne. Feel free to contact us anytime if you need an update. Best regards, Dennis

dappelt Activities::BugTriaged

jritchey Activities::BugResolved
Thanks again for reporting this @8ayac ! We've recently released the patch at https://about.gitlab.com/2018/10/29/security-release-gitlab-11-dot-4-dot-3-released/. Setting this issue to closed. I've requested to get some more swag sent your way. Please let me know if you don't receive the email with the swag code within a day or two. Best regards, James

8ayac Activities::Comment
@jritchey, Thanks for more swag, I'm so happy! By the way, I hope to get a bounty, but what kind of discovery does it deserve in GitLab? Would not you give a bounty for any of my continuing reports? Thanks.

jritchey Activities::Comment
@8ayac , For our public program we only offer swag. Though since you've reported a few good findings in the public program, I've invited you to our VIP program which for any future reports we reward bounties. Best regards, James

8ayac Activities::Comment
Thanks @jritchey for your invitation.

8ayac Activities::Comment
@jritchey , May I publish this report?

jritchey Activities::Comment
@8ayac , Our policy is to make all security issues public 30 days after a patch has been released. So for this one, we can make it public on Nov 26th

8ayac Activities::Comment
Hi @jritchey, Let's make this report public. Thanks.

jritchey Activities::AgreedOnGoingPublic
@8ayac , Yep, let's set to public. Best regards, James

8ayac Activities::AgreedOnGoingPublic

8ayac Activities::ReportBecamePublic