Unauthorized access to private project security dashboard
HackerOne report #853355 by vaib25vicky
on 2020-04-19, assigned to @dcouture:
Summary
User with guest permissions can't view security dashboard of the private project. However, this is not applied when user permission changes from maintainer to guest.
As a result, if user was previously a maintainer in the project he/she can add the project to their security dashboard and when their access levels decreases to guest, they can still view new security vulnerabilities result found in the project through their security dashboard. New security issues found in the project are reflecting back to the guest user security dashboard.
Steps to reproduce
- User A create a private project and add user B with maintainer access
- User B will add the project in his security dashboard.
- User A reduced the user B access level to guest. Now, user B can't view any old and new security issues in the project directly
- User B access the project new as well as old security issues through his security dashboard and also the specific new files where the issues lies
- Done
Impact
The impact of this vulnerability is actually very high. A malicious user can take advantage of the security issues found and can use it to exploit the owner application. More info will also disclose newly added files, dependencies and new internal structure of the project/application to the unauthorized user.
What is the current bug behavior?
Unauthorized user (guest) can view security dashboard of the private project
What is the expected correct behavior?
Project should be removed from the user security dashboard when his/her permission changes to lower.
Relevant logs and/or screenshots
When permission changes to guest, user can't view the security dashboard directly, they are treated with this message.
But user can access the private project security issues through his own security dashboard.
Output of checks
This bug happens on GitLab.com
NOTE : I'm using one of the example project provided by Gitlab named "yarn-vulnerabilities" for security testing.
If you want to quickly validate my report, please consider using it. https://gitlab.com/gitlab-examples/security/yarn-vulnerabilities.
Thanks,
Vaibhav Singh
Impact
Unauthorized access to private project security dashboard which allows a malicious user to exploit the owner application and also disclose application newly added files/dependencies and internal structure.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!