Inherited group member and Direct shared group member can share the group with other members contrary to documentation

⚠ Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #2044962 by theluci on 2023-06-30, assigned to @kmorrison1:

Report

Hello,
I stumbled upon this bug.
I’m not sure whether this is a documentation update or a security fix, regardless I thought it should be reported.

Gitlab provides various types of memberships,

For Direct shared membership, one may use Invite a group option,

In the above example, Direct members of My-other-group are Direct shared members of a-new-group.

According to docs, Inherited group member and Direct shared group member cannot share the group with other members.

That is, a member that has Inherited membership or Direct shared membership in a group should not be able to invite new members to the group.

However, the above is not enforced.

attacker creates a group attacker-group and adds victim as guest.
victim creates a group victim-group.
victim goes to https://gitlab.com/groups/<victim-group>/-/group_members, clicks on Invite a group and invite attacker-group as owner.

attacker is now a Direct shared group member of victim-group.

attacker goes to https://gitlab.com/groups/<victim-group>/-/group_members, clicks on Invite members and invite a user.

attacker is able to share the group with other members contrary to documentation.

Note:

Above I’ve only demonstrated the attack for Direct shared group members but it is also possible with Inherited membership.

This bug happens on GitLab.com (Probably on instance too).

Inherited group member and Direct shared group member can share the group with other members contrary to documentation.

Warning: Attachments received through HackerOne, please exercise caution!

Please add reproducibility information to this section: