CVE-2020-10978

Vulnerability

GitLab EE/CE versions 8.11 through 12.9 inadvertently leak information about issues that were created in a public project and subsequently moved to a private project. The leaked information is accessible through both the Web UI and the GraphQL API [2]. The issue affects the default configuration and does not require any special settings to be exploitable.

Exploitation

An attacker does not need any special privileges; they can be an unauthenticated user or a low-privileged user. The attacker simply views the public project's issue list or queries the GraphQL API after an issue has been moved from a public to a private project. The metadata of the moved issue (such as title, description, and comments) remains visible in the public project's historical issue data even after the move [1][2].

Impact

Successfully exploiting this vulnerability allows an attacker to gain unauthorized access to sensitive information originally intended to be private. The leaked data may include issue titles, descriptions, and discussion content, leading to information disclosure. The attacker does not gain any code execution or privilege escalation; the impact is limited to confidentiality loss [2].

Mitigation

GitLab released a fix in version 12.9.1 on March 26, 2020 [2]. Users should upgrade to GitLab 12.9.1 or later. For versions prior to 12.9.1, no workaround is documented; upgrading is the recommended mitigation. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.