Note:
This project will be discontinued after December 13, 2021. [more]
2020-02-17
Unauthorized Access to the Container Registry of other groups was discovered in GitLab Enterprise 12.0.0-pre. In other words, authenticated remote attackers can read Docker registries of other groups. When a legitimate user changes the path of a group, Docker registries are not adapted, leaving them in the old namespace. They are not protected and are available to all other users with no previous access to the repo.
Products | Gitlab |
Type | Insecure Storage of Sensitive Information (CWE-922) |
First patch | - None (likely due to unavailable code) |
Links |
• https://about.gitlab.com/blog/categories/releases/
• https://atomic111.github.io/article/gitlab-Unauthorized-Access-to-Container-Registry |