CVE-2023-1098
Description
An information disclosure vulnerability has been discovered in GitLab EE/CE affecting all versions starting from 11.5 before 15.8.5, all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1 will allow an admin to leak password from repository mirror configuration.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
GitLab EE/CE versions 11.5-15.10.0 disclose repository mirror passwords in error tooltips to maintainers, allowing credential leakage.
Vulnerability
An information disclosure vulnerability exists in GitLab EE/CE affecting all versions starting from 11.5 before 15.8.5, all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1. When a repository mirror encounters an error, the error tooltip reveals the stored password instead of masking it with asterisks, as detailed in the GitLab issue [1].
Exploitation
An attacker with maintainer-level access to a project that has a repository mirror configured can trigger this vulnerability. By causing an error during mirror synchronization (e.g., using an invalid URL or inducing a failure in the mirror server), the error tooltip displays the plaintext password. No additional user interaction is required beyond the trigger.
Impact
Successful exploitation allows a maintainer to view the stored password for the repository mirror, leading to unauthorized access to the external repository or service. This compromises confidentiality of the credential and could enable further attacks if the password is reused elsewhere.
Mitigation
GitLab has released fixed versions 15.10.1, 15.9.4, and 15.8.5 [1]. Users should upgrade to these or later versions. No workaround is available; users must update to patch the vulnerability.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Range: >=11.5 <15.8.5, >=15.9 <15.9.4, >=15.10 <15.10.1
- Range: >=11.5, <15.8.5
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The error message returned by the repository mirroring feature includes the plaintext password instead of masking it."
Attack vector
An attacker with at least Maintainer access to a GitLab project can trigger a mirror synchronization error (e.g., by configuring an invalid mirror URL such as `git://github.com/onezoomin/logseq.git/` with any password). When the error occurs, the error tooltip reveals the stored password in plaintext [ref_id=1]. The attacker does not need special network access beyond normal GitLab web access, and the only precondition is Maintainer-level permissions on the target project.
Affected code
The vulnerability resides in the repository mirroring feature of GitLab EE/CE. When a mirror synchronization error occurs, the error tooltip in the Settings UI exposes the stored password in plaintext, even though the URL field itself masks it with `***`.
What the fix does
The advisory does not include a published patch diff. The expected correct behavior, as stated in the issue [ref_id=1], is that the error tooltip should not reveal the password. The fix would involve sanitizing the error message returned by the mirroring subsystem to redact or mask the password before displaying it in the Settings UI, consistent with how the URL field already masks the password with `***`.
Preconditions
- authAttacker must have at least Maintainer role on the target GitLab project
- inputA mirror synchronization error must occur (can be triggered by configuring an invalid mirror URL)
- networkAttacker must have web access to the GitLab instance's Settings UI for the project
Reproduction
1. Create a repository mirror with a configuration that causes an error, e.g., using an invalid URL such as `git://github.com/onezoomin/logseq.git/` and providing any password. 2. Manually trigger the repository mirror sync or wait for GitLab to schedule it. 3. Observe the stored password revealed in plaintext in the error tooltip in the Settings UI [ref_id=1].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.