Severity of an incident can be changed by a guest user
HackerOne report #1341674 by cradlr
on 2021-09-16, assigned to @ngeorge1:
Report | Attachments | How To Reproduce
Report
Summary
The severity of an incident can be changed by a guest user due to privilege escalation.
Steps to reproduce
- Create 2 accounts on Gitlab.com. Create a group and invite another member to the group as an owner.
- Create a project under the group.
- From the invited user's session Go to Groups->Projects->Monitor->Create Incident.
- Create an incident and then choose the severity of that incident. Capture the request in Burp and send it to repeater.
- From the main user's session demote the user to Guest. Change the severity to low from the first user.
- Refresh the 2nd user's session. Now the 2nd user cannot change the severity.
- Fire the request from repeater. Severity gets changed.
Thanks,
Cradlr
Impact
Un-authorized user's can change the severity of the incident.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
How To Reproduce
Please add reproducibility information to this section:
Potential fix
See #341479 (comment 690495909)
Security development issue
Edited by Peter Leitzen