CVE-2021-39889: 
GitLab vulnerability analysis and mitigation

In all versions of GitLab Enterprise Edition (EE) since version 14.1, an insecure direct object reference (IDOR) vulnerability was discovered that could expose protected branch names. The vulnerability allows a malicious user to reveal protected branch names by making crafted API calls with specific branch IDs (GitLab Security Release, CVE Details).

The vulnerability exists in the Status Checks feature of GitLab's merge request section. Due to improper access controls, an attacker could manipulate the protectedbranchids parameter in API requests to obtain branch names from private projects, even without having access to those projects. The vulnerability was assigned a medium severity rating with a CVSS score indicating limited impact (GitLab Security Release).

The vulnerability allows unauthorized users to discover protected branch names of private projects they don't have access to. Since branch IDs are sequential, an attacker could potentially enumerate and obtain multiple protected branch names across different projects (GitLab Security Release).

The vulnerability was patched in GitLab versions 14.3.1, 14.2.5, and 14.1.7. Users are strongly recommended to upgrade to one of these versions or later to address this security issue (GitLab Security Release).

The vulnerability was responsibly disclosed through GitLab's HackerOne bug bounty program by security researcher @ashishrpadelkar (GitLab Security Release).