This is a follow-up on critical-security-release-gitlab-12-dot-1-dot-6-released.
Apparently Gitlab allowed default passwords for the Grafana Dashboard.
The Grafana dashboard, when accessed using the hard-coded credentials, allowed for a malicious user to view internal resources that are accessible by the host where the GitLab instance resides.
On the 15th of August an unidentified person made use of these default credentials to log in as admin to the GitLab Grafana dashboard. They proceeded to change the admin password and posted about this publicly in our forum. There is no evidence that the attacker who used this vulnerability had access to user data. The kind of process and metrics data available in the Grafana instance can be seen here. In our Infrastructure Gitlab runs on a separate server wrapped inside a docker container so information about running processes was about Gitlab only.
We’d like to remind everyone that security related issues should always be reported privately to the team, not on a public forum. We don’t encourage such behaviour and thus deleted the original public report while confirming the security breach and the impact it had.