Incomplete fix of CVE-2022-1821 leads to parent group members disclosure

HackerOne report #1592406 by jimeno on 2022-06-06, assigned to GitLab Team:

Report | Attachments | How To Reproduce

Report

Summary

Hi team. I came across this issue while reviewing the most recent GitLab security release. In it, it says:

Subgroup member can list members of parent group

An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.8 before 14.9.5, all versions starting from 14.10 before 14.10.4, all versions starting from 15.0 before 15.0.1. It may be possible for a subgroup member to access the members list of their parent group. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N, 4.3). It is now mitigated in the latest release and is assigned CVE-2022-1821.

This vulnerability was discovered internally by a member of the GitLab team.

I noticed a subgroup member is still able to view all parent group members by simply browsing to the subgroup's Group members tab in the UI. Example (my own instance, not accessible to you): https://gl.jimenolabs.net/groups/parent/child/-/group_members.

I also verified this information isn't accessible through the REST or GraphQL APIs when directly querying the parent group.

  • GraphQL:

    Captura_de_Pantalla_2022-06-06_a_las_15.38.28.png

  • REST: 167 is the child group while 166 is the parent.

    Captura_de_Pantalla_2022-06-06_a_las_15.53.16.png

Steps to reproduce

  1. Victim: create a group and add a Developer user to it. For example one named private.

    Captura_de_Pantalla_2022-06-06_a_las_15.36.50.png

  2. Create a subgroup of this group.

  3. Invite the attacker (naaytesting) in my case to the subgroup as a Developer.

  4. As the attacker (naaytesting) browse to https://gl.jimenolabs.net/groups/[PARENT]/[child]/-/group_members replacing the placeholders with yours.

  5. Notice all parent (parent) group members are disclosed to you.

    Captura_de_Pantalla_2022-06-06_a_las_15.37.37.png

Impact

Just the same CVE-2022-1821 has:

It may be possible for a subgroup member to access the members list of their parent group.

Examples

N/A - I reproduced it using my own instance.

What is the current bug behavior?

Subgroup-only member can view parent group members.

What is the expected correct behavior?

Subgroup-only member cannot view parent group members.

Relevant logs and/or screenshots

N/A. See reproduction steps.

Output of checks

This bug happens on GitLab.com

Results of GitLab environment info
root@gl:/# gitlab-rake gitlab:env:info

System information  
System:		  
Proxy:		no  
Current User:	git  
Using RVM:	no  
Ruby Version:	2.7.5p203  
Gem Version:	3.1.4  
Bundler Version:2.2.33  
Rake Version:	13.0.6  
Redis Version:	6.2.6  
Sidekiq Version:6.4.0  
Go Version:	unknown

GitLab information  
Version:	15.0.1-ee  
Revision:	d69f38d4a95  
Directory:	/opt/gitlab/embedded/service/gitlab-rails  
DB Adapter:	PostgreSQL  
DB Version:	12.10  
URL:		https://gl.jimenolabs.net  
HTTP Clone URL:	https://gl.jimenolabs.net/some-group/some-project.git  
SSH Clone URL:	git@gl.jimenolabs.net:some-group/some-project.git  
Elasticsearch:	no  
Geo:		no  
Using LDAP:	no  
Using Omniauth:	yes  
Omniauth Providers: auth0

GitLab Shell  
Version:	14.3.0  
Repository storage paths:  
- default: 	/var/opt/gitlab/git-data/repositories  
GitLab Shell path:		/opt/gitlab/embedded/service/gitlab-shell

Impact

Subgroup-only member can view parent group members.

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

Edited by Greg Alfaro