Skip to main content

Insecure Storage of Sensitive Information


Severity Medium
Score 4.3/10


Unauthorized Access to the Container Registry of other groups was discovered in GitLab Enterprise 12.0.0-pre. In other words, authenticated remote attackers can read Docker registries of other groups. When a legitimate user changes the path of a group, Docker registries are not adapted, leaving them in the old namespace. They are not protected and are available to all other users with no previous access to the repo.

  • LOW
  • NONE
  • NONE
  • LOW
  • LOW
  • NONE

CWE-922 - Insecure Storage of Sensitive Information

The software stores sensitive information without properly limiting read or write access by unauthorized actors.


Advisory Timeline

  • Published