ESCALATED: available_custom_project_templates does not check the access level of the user
This is the 2nd vulnerability described at https://gitlab.com/gitlab-org/gitlab-ce/issues/67109
This is where the second vulnerability can be found. The
ProjectsFinder
uses an initial collection, which consists of the projects the authenticated user can access. However, it does not check the access level of the user. This means that any project that is public, but has Repository, Issue, Snippets (etc.) access disabled for Guests, will be returned by theavailable_custom_project_templates
method on theUser
model. In a perfect world, it seems that this method would limit the projects that can be returned based on the user's permissions for said projects.
Edited by GitLab SecurityBot