Skip to content
GitLab
Next
    • GitLab: the DevOps platform
    • Explore GitLab
    • Install GitLab
    • How GitLab compares
    • Get started
    • GitLab docs
    • GitLab Learn
  • Pricing
  • Talk to an expert
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
    Projects Groups Topics Snippets
  • Register
  • Sign in
  • GitLab GitLab
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
    • Locked files
  • Issues 54.9k
    • Issues 54.9k
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 1.5k
    • Merge requests 1.5k
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Artifacts
    • Schedules
    • Test cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Package Registry
    • Container Registry
    • Terraform modules
    • Model experiments
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • GitLab.orgGitLab.org
  • GitLabGitLab
  • Issues
  • #25195
Closed
Open
Issue created Nov 13, 2018 by GitLab SecurityBot@gitlab-securitybotReporter

Account access with old password

HackerOne report #437194 by rogov on 2018-11-08:

Hi!

Summary: Account access with old password

Description: Vulnerability can allows to access of account with old password under certain conditions.

Steps To Reproduce:

  1. We have to login in account that have 2FA Security. ( just login:password, 2FA confirmation window do not touch. )
  2. Open new window, where we login in account and change the password. And we’ll see that this log out us of our account.
  3. We return to the window with 2fa confirmation, and look that session with old password is alive. To finally check it out, just enter the 2fa code and see that its allow us into the account with the session with the old password.

Supporting Material/References:

Nothing to add :)

Impact

Account access with old password

Assignee
Assign to
Time tracking