Banned group member continues to have access to the public projects of a public group with the access level as same as before the ban.
⚠ Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.
HackerOne report #1850046 by albatraoz
on 2023-01-28, assigned to @rshambhuni:
Report
Summary
Recently GitLab introduced a feature to ban a member from a group. This allows a group owner to ban a member from accessing the projects of a group. But due to this vulnerability the member looses access to only private projects & not the public projects for the group. The member continues to have the same access level before they were banned on the public projects of the group from where they were banned.
Steps to reproduce
- As user A create a public ultimate/premium gitlab group. (Ultimate/Premium needed for ban feature)
- Create two projects in this group. One should be private & another one should be public.
- As user A add user B to this public group as a maintainer.
- Now login as user B & check those two projects & you'll have maintainer access to both.
- Now as user A ban user B from the groups member page.
- Now login as user B & check the private project, it will say "Page Not Found" as this member is banned so the access is lost.
- Now as user B, check the public project & you'll see that you are able to access this project with maintainer access.
You should be able to change the settings and do all the things that a maintainer can.
Impact
An malicious member would be able to have access to the public projects of a public gitlab group even after being banned from the public group by the owner.
How To Reproduce
Please add reproducibility information to this section: