Earlier this week GitLab announced the release of security updates aimed at fixing various flaws found in previous iterations. One issue was an insecure direct object reference that exposed confidential issues within all public projects, via the Events APITrack this API. Vulnerable information includes confidential issues, private notes, and private merge requests.
The issue was presented to GitLab by an independent security researcher on September 20th. The company notes that the flaw affects GitLab versions CE/EE 9.3 and later, and recommends that all affected users upgrade to the latest iteration immediately. Version 9.3 dates back to June 22, 2017, so assessing the impact could be difficult. GitLab noted in a blog post:
Given the wide time window during which the issue was present (more than a year), we are unable to determine with accuracy the extent of the impact. While we don’t have any indication that the issue was ever misused, we are also unable to say with any certainty that it hasn’t been.
The company followed up by stating that they have reviewed 4 months of retained GitLab.com logs, and were unable to find evidence that unauthorized parties had accessed the content.
The GitLab Security Team deployed a hotfix on September 21st, one day after notification of the issue, and by September 24th the team was able to verify the solutions efficacy. On October 1st, GitLab had a previously scheduled security release that came to include a permanent solution to the problem.
As a result of this issue GitLab has embarked upon a cross-functional effort to pinpoint how they could, “identify this issue sooner, respond more quickly, and ensure the reliability of our patched systems.” This effort has already resulted in various improvements to internal processes and practices.