Skip to content
GitLab
Next
    • GitLab: the DevOps platform
    • Explore GitLab
    • Install GitLab
    • How GitLab compares
    • Get started
    • GitLab docs
    • GitLab Learn
  • Pricing
  • Talk to an expert
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
    Projects Groups Topics Snippets
  • Register
  • Sign in
  • GitLab GitLab
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
    • Locked files
  • Issues 54.9k
    • Issues 54.9k
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 1.5k
    • Merge requests 1.5k
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Artifacts
    • Schedules
    • Test cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Package Registry
    • Container Registry
    • Terraform modules
    • Model experiments
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • GitLab.orgGitLab.org
  • GitLabGitLab
  • Issues
  • #341479
Closed
Open
Issue created Sep 22, 2021 by GitLab SecurityBot@gitlab-securitybotReporter

Severity of an incident can be changed by a guest user

HackerOne report #1341674 by cradlr on 2021-09-16, assigned to @ngeorge1:

Report | Attachments | How To Reproduce

Report

Summary

The severity of an incident can be changed by a guest user due to privilege escalation.

Steps to reproduce
  1. Create 2 accounts on Gitlab.com. Create a group and invite another member to the group as an owner.
  2. Create a project under the group.
  3. From the invited user's session Go to Groups->Projects->Monitor->Create Incident.
  4. Create an incident and then choose the severity of that incident. Capture the request in Burp and send it to repeater.
  5. From the main user's session demote the user to Guest. Change the severity to low from the first user.
  6. Refresh the 2nd user's session. Now the 2nd user cannot change the severity.
  7. Fire the request from repeater. Severity gets changed.

Thanks,
Cradlr

Impact

Un-authorized user's can change the severity of the incident.

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

  • Incident-Priv-Escalation.mp4

How To Reproduce

Please add reproducibility information to this section:

Potential fix

See #341479 (comment 690495909)

Security development issue

https://gitlab.com/gitlab-org/security/gitlab/-/issues/519

Edited Oct 01, 2021 by Peter Leitzen
Assignee
Assign to
Time tracking