MEDIUM 4.7

GHSA-p3v4-c93g-cmhw

BBOT's gitlab.py exposes globally configured "gitlab" API key

Details

### Summary

bbot's `gitlab.py` sends the user's "gitlab" API key to on-premise GitLab instances.

If a user has configured a gitlab.com API key using this mechanism, it may be leaked to an attacker-controlled server.

### Impact

A user with a "gitlab" API key configured who uses bbot to scan a malicious webserver may leak their gitlab.com API key to an untrustworthy server.

Enter the version of the package you're using.

Introduced in: 0 Fixed in: 2.7.2

Fix pip install --upgrade 'bbot>=2.7.2'

Introduced in: 2.7.0.6919rc0 Fixed in: 2.7.2

Fix pip install --upgrade 'bbot>=2.7.2'