old password can be used for creating access token given refresh token

⚠ Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #1882631 by vaib25vicky on 2023-02-22, assigned to @cmaxim:

Report | How To Reproduce

Report

Summary

We can use resource owner password credentials flow to obtain new access token for the user by using old password which is no longer active in his account.

Steps to reproduce

1. Creates a new access token

echo  'grant_type=password&username={USER_NAME}&password={PASSWORD}'   >  auth.txt

curl --data "[@]auth.txt" --request POST "https://gitlab.com/oauth/token"  

2. In response you will get access token and refresh token. Copied the refresh token
3. Go to your Gitlab account password setting and change your password https://gitlab.com/-/profile/password/edit
4. Run follow commands in your terminal. Use the old password that you've used in step 1.

echo 'username={Username}&password={Password}&refresh_token={Refresh_Token}&grant_type=refresh_token' > auth.txt

curl --data "[@]auth.txt" --request POST "https://gitlab.com/oauth/token"  

5. After success, you'll get a new access token.

Impact

old password can be used for creating access token given refresh token

How To Reproduce

Please add reproducibility information to this section: