TOPGITLAB.md

Back

Top reports from GitLab program at HackerOne:

1. Arbitrary file read via the UploadsRewriter when moving and issue to GitLab - 1367 upvotes, $20000
2. Git flag injection - local file overwrite to remote code execution to GitLab - 740 upvotes, $12000
3. Exfiltrate and mutate repository and project data through injected templated service to GitLab - 726 upvotes, $11000
4. Stored XSS in Wiki pages to GitLab - 589 upvotes, $4500
5. Local files could be overwritten in GitLab, leading to remote command execution to GitLab - 531 upvotes, $12000
6. Project Template functionality can be used to copy private project data, such as repository, confidential issues, snippets, and merge requests to GitLab - 429 upvotes, $12000
7. gitlab-workhorse bypass in Gitlab::Middleware::Multipart allowing files in allowed_paths to be read to GitLab - 385 upvotes, $10000
8. JSON serialization of any Project model results in all Runner tokens being exposed through Quick Actions to GitLab - 346 upvotes, $12000
9. Bypass of GitLab CI runner slash fix in YAML validation to GitLab - 344 upvotes, $12000
10. Attacker is able to access commit title and team member comments which are supposed to be private to GitLab - 335 upvotes, $7000
11. SSRF on project import via the remote_attachment_url on a Note to GitLab - 332 upvotes, $10000
12. Server Side Request Forgery mitigation bypass to GitLab - 326 upvotes, $3500
13. An attacker can run pipeline jobs as arbitrary user to GitLab - 292 upvotes, $12000
14. Full access to internal Gitlab instances at redash.gitlab.com, dashboards.gitlab.com, prometheus.gitlab.com to GitLab - 289 upvotes, $9500
15. Cross-site Scripting (XSS) - Stored in RDoc wiki pages to GitLab - 270 upvotes, $3500
16. Bypass Email Verification -- Able to Access Internal Gitlab Services that use Login with Gitlab and Perform Check on email domain to GitLab - 225 upvotes, $3000
17. Privilege escalation from any user (including external) to gitlab admin when admin impersonates you to GitLab - 218 upvotes, $10000
18. Unauthenticated blind SSRF in OAuth Jira authorization controller to GitLab - 214 upvotes, $4000
19. Group search leaks private MRs, code, commits to GitLab - 205 upvotes, $7000
20. Ability to bypass email verification for OAuth grants results in accounts takeovers on 3rd parties to GitLab - 204 upvotes, $3000
21. Full Read SSRF on Gitlab's Internal Grafana to GitLab - 190 upvotes, $12000
22. Git flag injection leading to file overwrite and potential remote code execution to GitLab - 164 upvotes, $3500
23. Snippet JS template allows attacker to read a user's private snippets to GitLab - 163 upvotes, $300
24. information disclosure of secret_key_base via encoding charcters to GitLab - 143 upvotes, $3500
25. Importing GitLab project archives can replace uploads of other users to GitLab - 136 upvotes, $5000
26. DoS on the Issue page by exploiting Mermaid. to GitLab - 136 upvotes, $3000
27. Persistent XSS in Note objects to GitLab - 132 upvotes, $4500
28. Send arbitrary PUT requests when user clicks on a link to GitLab - 127 upvotes, $3000
29. Git flag injection - Search API with scope 'blobs' to GitLab - 121 upvotes, $7000
30. Read files on application server, leads to RCE to GitLab - 108 upvotes, $0
31. Group search with Elastic search enable leaks unrelated data to GitLab - 95 upvotes, $7000
32. Stored XSS in "Create Groups" to GitLab - 81 upvotes, $2500
33. Unrestricted file upload leads to Stored XSS to GitLab - 79 upvotes, $1500
34. DoS attack via comment on Issue to GitLab - 76 upvotes, $1000
35. GitLab-Runner on Windows DOCKER_AUTH_CONFIG container host Command Injection to GitLab - 70 upvotes, $6500
36. SSRF in CI after first run to GitLab - 69 upvotes, $3000
37. GitLab::UrlBlocker validation bypass leading to full Server Side Request Forgery to GitLab - 60 upvotes, $5000
38. GraphQL query "namespace" leaks data to GitLab - 58 upvotes, $1000
39. Ability to access all user authentication tokens, leads to RCE to GitLab - 56 upvotes, $0
40. Know whether private project name exists or not within a group using link comments to GitLab - 55 upvotes, $300
41. Command injection by overwriting authorized_keys file through GitLab import to GitLab - 48 upvotes, $2000
42. All functions that allow users to specify color code are vulnerable to ReDoS to GitLab - 48 upvotes, $1000
43. Clientside resource Exhausting by exploiting gitlab math rendering to GitLab - 48 upvotes, $1000
44. [Admin Panel] CSRF to resume/pause runner to GitLab - 48 upvotes, $500
45. Access to GitLab's Slack by abusing issue creation from e-mail to GitLab - 47 upvotes, $0
46. Bypass Email Verification using Salesforce -- Reproducible in gitlab.com to GitLab - 45 upvotes, $1500
47. XSS on Issue reference numbers to GitLab - 45 upvotes, $1500
48. EXIF metadata not stripped from JPG group logos to GitLab - 44 upvotes, $500
49. Stored XSS in markdown when redacting references to GitLab - 43 upvotes, $5000
50. GitLab CI runner can read and poison cache of all other projects to GitLab - 39 upvotes, $2000
51. SQL injection in MilestoneFinder order method to GitLab - 38 upvotes, $2000
52. Milestones leaked via search API to GitLab - 38 upvotes, $1000
53. Using GitLab to monitor and hijack domains in mass quantity. to GitLab - 33 upvotes, $750
54. Stored XSS in blob viewer to GitLab - 32 upvotes, $2000
55. Store-XSS in error message of build-dependencies to GitLab - 31 upvotes, $3000
56. Bypassing push rules via MRs created by Email to GitLab - 30 upvotes, $3000
57. Insecure 2FA/authentication implementation creates a brute force vulnerability to GitLab - 30 upvotes, $0
58. Injection of http.\<url\>.* git config settings leading to SSRF to GitLab - 29 upvotes, $3000
59. Privilege escalation due to insecure use of logrotate to GitLab - 29 upvotes, $1000
60. Uncontrolled Resource Consumption in any Markdown field using Mermaid to GitLab - 29 upvotes, $1000
61. Evaluating Ruby code by injecting Rescue job on the system_hook_push queue through web hook to GitLab - 29 upvotes, $750
62. Vulnerability in project import leads to arbitrary command execution to GitLab - 29 upvotes, $0
63. Stored XSS in group issue list to GitLab - 26 upvotes, $2000
64. Access Projects And create projects in gitlab pre production server to GitLab - 26 upvotes, $1000
65. Mailgun misconfiguration leads to email snooping and postmaster@-access on email.mg.gitlab.com to GitLab - 26 upvotes, $0
66. Persistent XSS via e-mail when creating merge requests to GitLab - 24 upvotes, $750
67. Unauthorized access to private project security dashboard to GitLab - 22 upvotes, $2000
68. Last build status and coverage leaked to unauthorized users to GitLab - 22 upvotes, $750
69. Unauthorized users may be able to view almost all informations related to Private projects. to GitLab - 22 upvotes, $0
70. Stored XSS on PyPi simple API endpoint to GitLab - 21 upvotes, $3000
71. GitLab's GitHub integration is vulnerable to SSRF vulnerability to GitLab - 21 upvotes, $2000
72. Stealing data from customers.gitlab.com without user interaction to GitLab - 20 upvotes, $3500
73. Possibilty to purchase Ultimate - 1 Year (EDU or OSS) to GitLab - 20 upvotes, $500
74. all private tokens are leaked to an unauthenticated attacker to GitLab - 20 upvotes, $0
75. [Markdown] Stored XSS via character encoding parser bypass to GitLab - 20 upvotes, $0
76. SafeParamsHelper::safe_params is not so safe to GitLab - 19 upvotes, $4000
77. Claiming package names in GitLab's automatic package referencer. to GitLab - 19 upvotes, $1000
78. CSV injection in gitlab.com via issues export feature. to GitLab - 19 upvotes, $0
79. Add and Access to Labels of any Private Projects/Groups of Gitlab(IDOR) to GitLab - 18 upvotes, $1000
80. CRLF injection & SSRF in git:// protocal lead to arbitrary code execution to GitLab - 18 upvotes, $0
81. Race condition in GitLab import, giving access to other people their imports due to filename collision to GitLab - 17 upvotes, $0
82. Stored XSS in merge request pages to GitLab - 17 upvotes, $0
83. Bypassing password authentication of users that have 2FA enabled to GitLab - 16 upvotes, $0
84. Stored XSS on Files overview by abusing git submodule URL to GitLab - 16 upvotes, $0
85. Instant open redirect on Live preview WEB Ide opening to GitLab - 15 upvotes, $1000
86. Privilege escalation to access all private groups and repositories to GitLab - 15 upvotes, $0
87. SSRF vulnerability in gitlab.com via project import. to GitLab - 15 upvotes, $0
88. Insufficient Type Check leading to Developer ability to delete Project, Repository, Group, ... to GitLab - 14 upvotes, $5000
89. No redirect_uri in the db for web-internal clientKey leads to one-click DoS on gitter.im to GitLab - 14 upvotes, $1000
90. Stored XSS on Issue details page to GitLab - 14 upvotes, $0
91. Private System Note Disclosure using GraphQL to GitLab - 13 upvotes, $1000
92. GitHub import allows user to create child group under existing namespace to GitLab - 13 upvotes, $750
93. Persistent XSS on public wiki pages to GitLab - 13 upvotes, $0
94. User with guest access can access private merge requests to GitLab - 13 upvotes, $0
95. Gitlab is vulnerable to impersonation attacks due to broken links to GitLab - 13 upvotes, $0
96. Insufficient Type Check on GraphQL leading to Maintainer delete repository to GitLab - 12 upvotes, $4000
97. Transferring a public group to a private group doesn't remove code from the Elastichsearch API search result to GitLab - 12 upvotes, $3000
98. Removing a user from a private group doesn't remove him from group's project, if his project's role was changed to GitLab - 12 upvotes, $2000
99. SSRF In plantuml (on plantuml.pre.gitlab.com) to GitLab - 12 upvotes, $100
100. Every user can delete public deploy keys to GitLab - 12 upvotes, $0
101. Inadequate cache control in gitter allows to view private chat room to GitLab - 12 upvotes, $0
102. State filter in IssuableFinder allows attacker to delete all issues and merge requests to GitLab - 11 upvotes, $0
103. Unfiltered class attribute in markdown code to GitLab - 11 upvotes, $0
104. SSRF when importing a project from a git repo by URL to GitLab - 11 upvotes, $0
105. Guest users can change the confidentiality attribute on those issues that have been assigned to them to GitLab - 10 upvotes, $100
106. XSS On meta tags in profile page to GitLab - 10 upvotes, $0
107. Users can download old project exports due to unclaimed namespace to GitLab - 10 upvotes, $0
108. Persistent XSS - Selecting users as allowed merge request approvers to GitLab - 10 upvotes, $0
109. HTML TAG INJECTION ON PROFILE NAME to GitLab - 10 upvotes, $0
110. Blocked user Git access through CI/CD token to GitLab - 9 upvotes, $1500
111. Attacker can extract list of private project's project members to GitLab - 9 upvotes, $0
112. Users with guest access can post notes to private merge requests, issues, and snippets to GitLab - 9 upvotes, $0
113. SSRF vulnerability in gitlab.com webhook to GitLab - 9 upvotes, $0
114. Unauthorized user is able to access schedule pipeline variables and values to GitLab - 8 upvotes, $3000
115. SSRF into Shared Runner, by replacing dockerd with malicious server in Executor to GitLab - 8 upvotes, $2000
116. Head pipeline leaked to unauthorized users via blocking merge request feature to GitLab - 8 upvotes, $1000
117. Last pipeline status for MR leaked to GitLab - 8 upvotes, $750
118. Boards leak private label names and desciptions to GitLab - 8 upvotes, $0
119. Markdown based stored XSS (IE only) to GitLab - 8 upvotes, $0
120. XSS (Persistent) - Selecting role(s) for protected branches to GitLab - 8 upvotes, $0
121. Container scanning and Dependency scanning report leaked to unauthorized users to GitLab - 7 upvotes, $3000
122. Elasticsearch leaks data through the notes scope to GitLab - 7 upvotes, $1000
123. [RDoc] XSS in project README files to GitLab - 7 upvotes, $0
124. [reStructuredText] XSS in project README files to GitLab - 7 upvotes, $0
125. Gitlab.com is vulnerable to reverse tabnabbing. to GitLab - 7 upvotes, $0
126. Gitlab.com is vulnerable to reverse tabnabbing. (#2) to GitLab - 7 upvotes, $0
127. Persistent XSS - Deleting a project (No Longer Vulnerable in 10.7) to GitLab - 7 upvotes, $0
128. Todos are not redacted when membership changes - Access to (confidential) issues and merge requests to GitLab - 6 upvotes, $2000
129. Labels created in private projects are leaked to GitLab - 6 upvotes, $0
130. Persistent XSS on public project page to GitLab - 6 upvotes, $0
131. [Subgroups] Unprivileged User Can Disclose Private Group Names to GitLab - 6 upvotes, $0
132. CSRF Token Bypass in Account Deletion to GitLab - 6 upvotes, $0
133. GFM renderer leaks external issue tracker URL of private project to GitLab - 6 upvotes, $0
134. Impersonation attack via Broken Link in Resellers Page to GitLab - 6 upvotes, $0
135. Potensial SSRF via Git repository URL to GitLab - 6 upvotes, $0
136. Double linking cause XSS (but blokeced by CSP in gitlab.com) to GitLab - 6 upvotes, $0
137. Attacker can post notes on private MR, snippets, and issues to GitLab - 5 upvotes, $0
138. Attacker can delete (and read) private project webhooks to GitLab - 5 upvotes, $0
139. [Textile] XSS in project README files to GitLab - 5 upvotes, $0
140. Gitlab.com is vulnerable to reverse tabnabbing via AsciiDoc links. (#3) to GitLab - 5 upvotes, $0
141. Guests Will Disclose the Private Project Full Activity Via Project Activity Feeds to GitLab - 5 upvotes, $0
142. Adding everyone to the repo due to the lack of rate limit to GitLab - 5 upvotes, $0
143. Private snippets in public / internal projects leaked though GitLab API to GitLab - 4 upvotes, $0
144. Confidential issues leaked in public projects when attached to milestone to GitLab - 4 upvotes, $0
145. [Repository Import] Open Redirect via "continue[to]" parameter to GitLab - 4 upvotes, $0
146. Members from parent group keep their access level on a subgroup transfer and are invisible to GitLab - 3 upvotes, $4000
147. Initial mirror user can be assigned by other user even if the mirror was removed to GitLab - 3 upvotes, $3000
148. Project Milestones Disclosed Via Groups When the Victim disabled milestones access in project settings to GitLab - 3 upvotes, $1000
149. Open redirect to GitLab - 3 upvotes, $0
150. CSRF-Token leak by request forgery to GitLab - 3 upvotes, $0
151. Cookie bomb to GitLab - 3 upvotes, $0
152. SSRF via git Repo by URL Abuse to GitLab - 2 upvotes, $0
153. Lack of validation before assigning custom domain names leading to abuse of GitLab pages service to GitLab - 2 upvotes, $0
154. Email notification about login email changed is not received when using verified linked email address to GitLab - 2 upvotes, $0
155. Missing/Breach of Internal Security Boundary - Access to Job Queue Results in Remote Code Execution to GitLab - 0 upvotes, $0

Back