CVE-2020-10976

Vulnerability

GitLab EE/CE versions 8.17 through 12.9 contain an information disclosure vulnerability in the merge request widget. When querying the widget endpoint, the application returns sensitive data that should be restricted, such as confidential merge request details. The issue exists in the API handling of merge request queries.

Exploitation

An attacker with network access to a GitLab instance can exploit this by sending crafted requests to the merge request widget API endpoint. No special privileges are required beyond the ability to query merge requests; the vulnerability leaks information that is normally hidden from unauthorized users. The attacker can enumerate merge requests and extract confidential data.

Impact

Successful exploitation results in unauthorized disclosure of sensitive information from merge requests, including potentially confidential comments, diffs, or other metadata. This compromises the confidentiality of project data and may expose internal discussions or unreleased code.

Mitigation

GitLab addressed this vulnerability in version 12.9.1, released on March 26, 2020 [2]. Users should upgrade to 12.9.1 or later. Backported fixes are available in 12.8.2 and 12.7.2. No workaround is available; upgrading is the only mitigation.