View Access to Managed License of CI/CD settings of Project(Privilege escalation)
HackerOne report #439726 by vijay_kumar1110 on 2018-11-13:
Summary & Description In Project Settings -- > CI/CD -- > manage licenses You can manage licenses. Only Few role users in the project have ability to view this section. Below mentioned API request discloses managed licences of the project. API request : https://gitlab.com/api/v4/projects/[Project_ID]/managed_licenses In order to reproduce the issue i tried to restrict most of the section/permissions in internal project but still i was able to access these licenses. In the permission list of project you can view that only developers and higher level users can access this info. Link : https://docs.gitlab.com/ee/user/permissions.html you can search for "View approved/blacklisted licenses " and you will see this information.
##Vulnerable API request : https://gitlab.com/api/v4/projects/[Project_ID]/managed_licenses
##Sample JSON response : [{"id":249,"name":"AGPL-1.0","approval_status":"blacklisted"},{"id":264,"name":"BSD","approval_status":"approved"}]
Steps To Reproduce:
Take 2 different accounts to reproduce this issue. 1.Login from Victim account and create a project. 2.Keep the Project as internal/Public and set "Only project members" for all the sections. 3.Also make the Public pipeline Disabled as permissions doesn't mix up. 4.Now No non member should be able to access managed Licenses. 5.Now login from attacker account and go to the project. 6.Now you will notice that this user doesn't have access to many sections and specially CI/CD settings. 7.Now Run above mentioned API request with valid project_ID. 7.In the JSON response you will be able to access managed licenses.
Supporting Material/References:
Let me know if you require one.
Impact
View Access to Managed License of CI/CD settings of Project(Privilege escalation)