For example, if you have a sensitive role (e.g. admin) and assign it to a project containing sensitive data, then that project can be accessed by any user with cache enabled, regardless of their role. This could lead to sensitive data being accessed by unprivileged users. For example, if you have a sensitive role (e.g. admin) and assign it to a project containing sensitive data, then that project can be accessed by any user with cache enabled, regardless of their role. This could lead to sensitive data being accessed by unprivileged users. GitLab EE versions prior to 15.2.5, 15.3 prior to 15.3.4, and 15.4 prior to 15.4.1 have a bug that can lead to the data in the cache being publicly accessible via HTTP. This can lead to the data in the cache being publicly accessible via HTTP. It is recommended that you upgrade to the latest version of GitLab EE as soon as possible.

How to fix GitLab cache security bugs

Upgrade GitLab EE to the latest version which fixes the security bug.

What to do if you are using GitLab EE?

Upgrade GitLab EE to the latest version.
See [What else should I do?] for recommendations on what to do if you are running a cluster, use multiple instances of GitLab Enterprise Edition, or have a large volume of projects.

What to do if you are affected?

If you are using GitLab EE version prior to 15.2.5, 15.3 prior to 15.3.4, or 15.4 prior to 15.4.1 and find that the data in the cache is publicly accessible via HTTP, please contact us at support@gitlab.com with as much detail as possible including the steps that led up to this result and your GitLab EE version number so we can investigate further
The bug has been resolved with GitLab EE version 16.0

Timeline

Published on: 10/17/2022 16:15:00 UTC
Last modified on: 10/20/2022 14:25:00 UTC

References