Guests will view the shared private groups and share private groups Guests will also view the other shared private groups Via API Response

HackerOne report #615163 by uzsunny on 2019-06-14, assigned to gitlab_cmaxim:

Here I want to report 2 bugs.

same root cause leads to 2 bugs.

Only Permissions with Owners And Maintainers will only able to see the shared private groups but here guests will disclose the shared private groups.

Reproduction Steps:

Go to gitlab.com create a private group and create private project.

Share the project with 2 private groups for test.

Next invite the attacker with guest permissions.

When the attacker visits [REDACTED]

Only project members will be shown

![[REDACTED]

But attacker visits the API

He will view the shared private groups which the project has shared to

attacker if he visits to

[REDACTED]

s[REDACTED]

In the above response the 2 private shared groups will be shown.

I have shared the project with 2 shared private groups for test so the 2 shared private groups will be disclosed.

I have also tested with shared private group.

Create private group and private project.

Share this private project with 2 private shared groups with guest permissions only.

The guests user in one private shared group will view the another shared private groups.

attacker if he visits to

[REDACTED]

There are 2 bugs with same root cause.

Guests will able to view the shared private groups in API response.

Guests members in one shared private will view the another shared private groups via API response.

Warning: Attachments received through HackerOne, please exercise caution!

Edited Jul 06, 2022 by Costel Maxim