CVE-2021-22233
Description
An information disclosure vulnerability in GitLab EE versions 13.10 and later allowed a user to read project details
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
GitLab EE 13.10+ WebIDE discloses private project details due to missing permission check in IdeController.
Vulnerability
In GitLab EE versions 13.10 and later, the WebIDE's IdeController does not enforce permission checks when resolving a project by its full path. The project method uses Project.find_by_full_path(params[:project_id]) without verifying the current user's access rights. The resulting project data is then included in the page source via the ide_data helper and the _show.html.haml template, leaking details of private projects to any authenticated user who visits /-/ide/project/<full_project_path> [1].
Exploitation
An attacker must be authenticated as any GitLab user (no special privileges required). The attacker navigates to the WebIDE URL of a target private project, e.g., /-/ide/project/owner/private-project. The page source contains a data-project JSON attribute with the project's metadata. No user interaction beyond visiting the URL is needed [1].
Impact
Successful exploitation discloses sensitive project metadata, including the project ID, description, name, name with namespace, path, and path with namespace. This information can be used to identify private projects and their details, violating confidentiality [1].
Mitigation
The fix version is not explicitly stated in the provided reference. GitLab has addressed the issue in a later release; users should upgrade to the latest GitLab EE version and consult the official security advisory for the specific patched version [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Range: >=13.10
- Range: >=13.10, <13.11.6
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing authorization check in `IdeController.project` allows any authenticated user to retrieve private project details via the WebIDE endpoint."
Attack vector
An authenticated attacker can access the WebIDE path `/-/ide/project/
Affected code
The `IdeController` in GitLab EE 13.10+ uses `Project.find_by_full_path(params[:project_id])` to look up the project without any authorization check. The resulting project object is passed to `IdeHelper.ide_data` and rendered in the `app/views/ide/_show.html.haml` template, leaking project details to any authenticated user who visits `/-/ide/project/
What the fix does
No patch is included in the bundle. The advisory [ref_id=1] states that the fix must add permission checks inside `IdeController` when searching for a project by full path, so that only authorized users can retrieve project data via the WebIDE endpoint.
Preconditions
- authAttacker must have a valid GitLab account (any authenticated user).
- configThe target project must be set to 'private' visibility.
- inputAttacker must know the full project path (namespace/project-name) of the target private project.
Reproduction
1. Log in as `user1`, create and initialize a private project. 2. Log in as `user2` (a different account). 3. Navigate to `/-/ide/project/
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22233.jsonmitrex_refsource_CONFIRM
- gitlab.com/gitlab-org/gitlab/-/issues/329446mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.