GitLab EE Arbitrary Access to Private Reference Titles Vulnerability

A vulnerability in GitLab EE has been identified, affecting versions 16.0 prior to 16.3.6, 16.4 prior to 16.4.2, and 16.5 prior to 16.5.1. This issue allows arbitrary access to the titles of private GitLab-specific references, such as issues, merge requests, snippets, epics, vulnerabilities, and labels. The leak occurs through the service desk custom email template, where private issue titles can be accessed by referencing them in an email sent to a project's service desk.

Impact

Exploitation of this vulnerability allows access to the titles of private GitLab-specific references from any private project, including issues, merge requests, snippets, epics, vulnerabilities, and labels.

Reproduction

To reproduce this vulnerability, create a private project and a private issue within it. Then, in a separate project, add a file to the service desk template that includes a placeholder for the issue description. After sending an email to the project's service desk address that references the private issue, the title of the issue will be returned in the response.

Remediation

Users can update to GitLab versions 16.5.1, 16.4.2, or 16.3.6 to address this vulnerability.