GitLab SAST Vulnerability Report Information Disclosure via Issue Link Deletion (CWE-200)

Key Information Issue Title: Ability to access a previously accessible issue Vulnerability Details: - Users cannot link to issues they cannot access, but they can delete links to issues they previously created. - When deleting an issue link, all associated information related to that issue is also returned. - If the issue link was created by the user and the issue’s visibility level is later changed, the user can still retrieve inaccessible information by deleting the issue link. Reproduction Steps: 1. As the victim, create a public project and create an issue. 2. As the attacker, obtain a vulnerability report (if already available, skip to step 4). 3. As the attacker, create a project, then go to Security & Compliance → Configuration → Enable (SAST) → Upload a PHP file with specific code → Wait for the pipeline to pass → Navigate to the vulnerability report. 4. Go to the vulnerability report → Link to the issue created on Sept 1 (paste the issue link). 5. Intercept the request → Remove the intercepted request, and do not forward it (otherwise, it will be removed). 6. As the victim, change the project visibility to private and modify the title and description of the issue created in step 1. Status: Complete Tags: - HackerOne, Weakness, CWE-200, [deprecated], Accepting merge requests, backend, bug, vulnerability, devops, plan, group, project management, priority 4, section, dev, security, security-backlog, review-complete, severity 4, type, bug, workflow, in review

Goal Reached Thanks to every supporter — we hit 100%!

GitLab SAST Vulnerability Report Information Disclosure via Issue Link Deletion (CWE-200)