Subgroup guest member can do all owner activities in the subgroup
Title: Subgroup guest member can do all owner activities in the subgroup
Scope: *.gitlab.com
Weakness: Privilege Escalation
Severity: No Rating
Link: https://hackerone.com/reports/409363
Date: 2018-09-13 09:18:07 +0000
By: @ayid
Issue : Subgroup permissions not properly flown
There is a issue in subgroup permissions model where subgroup guest member can do all owner activities ( add owner, create another subgroup, create projects) in the subgroup
User A --> Attacker User B --> Victim Group A has a subgroup B
Group A | |____Subgroup B
Initial Configuration
Group A members : User A --> Owner User B --> Guest
Subgroup B members : User A --> Owner User B --> Owner
Victim Steps:
- Login as user B
- Change role of User A in subgroup B from "Owner" to "Guest"
Changed Configuration
Group A members : User A --> Owner User B --> Guest
Subgroup B members : User A --> Guest User B --> Owner
Attacker Steps:
- Login as User A
- Goto Subgroup B
- Though he is having guest role in the subgroup B, he is allowed to do all the owner role activities in the subgroup B such as add owner, add project, create subgroup, etc
Impact
Subgroup guest member can do all owner activities in the subgroup.
Edited by Dennis Appelt