Skip to content

Severity of an incident can be changed by a guest user

HackerOne report #1341674 by cradlr on 2021-09-16, assigned to @ngeorge1:

Report | Attachments | How To Reproduce

Report

Summary

The severity of an incident can be changed by a guest user due to privilege escalation.

Steps to reproduce
  1. Create 2 accounts on Gitlab.com. Create a group and invite another member to the group as an owner.
  2. Create a project under the group.
  3. From the invited user's session Go to Groups->Projects->Monitor->Create Incident.
  4. Create an incident and then choose the severity of that incident. Capture the request in Burp and send it to repeater.
  5. From the main user's session demote the user to Guest. Change the severity to low from the first user.
  6. Refresh the 2nd user's session. Now the 2nd user cannot change the severity.
  7. Fire the request from repeater. Severity gets changed.

Thanks,
Cradlr

Impact

Un-authorized user's can change the severity of the incident.

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

How To Reproduce

Please add reproducibility information to this section:

Potential fix

See #341479 (comment 690495909)

Security development issue

https://gitlab.com/gitlab-org/security/gitlab/-/issues/519

Edited by Peter Leitzen