All versions of GitLab CE/EE starting from 9.5 before 13.10.5, all versions starting from 13.11 before 13.11.5, and all versions starting from 13.12 before 13.12.2 allow a high privilege user to obtain sensitive information from log files because the sensitive information was not correctly registered for log masking.
Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Gitlab | Gitlab | 9.5.0 (including) | 13.10.5 (excluding) |
| Gitlab | Gitlab | 13.11.0 (including) | 13.11.5 (excluding) |
| Gitlab | Gitlab | 13.12.0 (including) | 13.12.2 (excluding) |
| Gitlab | Ubuntu | esm-apps/xenial | * |
| Gitlab | Ubuntu | upstream | * |
While logging all information may be helpful during development stages, it is important that logging levels be set appropriately before a product ships so that sensitive user data and system information are not accidentally exposed to potential attackers. Different log files may be produced and stored for: