Information disclosure in Advanced Search component of GitLab EE starting from 8.4 results in exposure of search terms via Rails logs. This affects versions >=8.4 to <13.4.7, >=13.5 to <13.5.5, and >=13.6 to <13.6.2.
Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Gitlab | Gitlab | 8.4.0 (including) | 13.4.7 (excluding) |
| Gitlab | Gitlab | 13.5.0 (including) | 13.5.5 (excluding) |
| Gitlab | Gitlab | 13.6.0 (including) | 13.6.2 (excluding) |
| Gitlab | Ubuntu | esm-apps/xenial | * |
| Gitlab | Ubuntu | xenial | * |
While logging all information may be helpful during development stages, it is important that logging levels be set appropriately before a product ships so that sensitive user data and system information are not accidentally exposed to potential attackers. Different log files may be produced and stored for: