A member able to upgrade their/other member role to owner role
HackerOne report #1520001 by bethewolf on 2022-03-23, assigned to @nmalcolm:
Report | Attachments | How To Reproduce
Report
Hi Team,
Description:-
According docs and git lab GUI --->
A member with maintainer role is able to change other user role to (maintainer/developer/guest ), there is no option in git lab GUI for member that he can upgrade his or other member role as owner role .
But as maintainer I'm able upgrade my role and other user role to owner role ..
In request their is access level -
{"project_member":{"access_level":40}}' change it to {"project_member":{"access_level":50}}`
role will be change to owner role automatically :)
Reproducible steps -- for upgrade their role as owner -:
1.As a maintainer on a project click to upgrade or downgrade any other user role
2.Intercept request and change that member id with your member id
-
Make
{"access_level":50}there and forward request on burp -
See there A member was able to successfully upgrade their role as Owner
Now Upgrade any other member role to owner role --:
Reproducible steps:
- As a maintainer on a project click to upgrade or downgrade any other user role
2.Intercept request and Make {"access_level":50} there and forward request on burp
- See there A member role upgraded to owner
Impact
A member was able to upgrade thier and other user role to Owner (their is no option for owner role --> and a maintainer could't upgrade their or other user to Owner -->>
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
[REDACTED]
How To Reproduce
Please add reproducibility information to this section: