Privilege escalation on LDAP sync
Customer incident report: https://gitlab.zendesk.com/agent/tickets/23090
On our production instance of GitLab Enterprise Edition 8.7.1-ee 30bca296 we have a serious security issue.
Certain users/groups are getting master permissions on every group.
Notes from Webex meeting
- May 4 updated from 8.6.x to 8.7.1
- starting May 6 logs show a lot of users being added to projects
- It seems too many users get access to projects
Problem summary: we have one example user (of many) who should have access to less than 10 groups but who suddenly has access to over 300 groups. We have an example of a GitLab group with two LDAP links; the example user is in neither of the linked groups.
This seems to happen on each LDAP sync (users having access to more and more groups/projects)
@jacobvosmaer-gitlab is investigating queries to run with the customer to reduce the scope of the problem.