Skip to content

User with "admin_group_members" can still invite other groups to gain owner access (CVE-2023-6396 bypass)

Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #2270898 by joaxcar on 2023-12-03, assigned to @rshambhuni:

Report | How To Reproduce

Report

Summary

GitLab 16.6.1 patched a fix where users with the custom role "admin_group_membsers" could invite users at a higher role than the custom roles base role. This restriction is now in place, but in groups that allow for users to request access (public or internal groups) a user with this custom role can still take ownership of the group by inviting a group instead of inviting a "member"

An attack would look like this

  1. A user gets assigned a custom role based on Guest that allows for admin_group_user
  2. The user creates another group where it will become owner
  3. Then the attacker invites this new group at "max membership role" as owner
  4. The attacker will now be owner of the target group
Steps to reproduce

Preconditions:

  1. Start a new Ultimate trial on Gitlab.com
  2. Create two users victim_user, attacker_user
  3. Create a private group private_ultimate_group as victim_user
  4. Go to https://gitlab.com/groups/GROUPNAME/-/settings/roles_and_permissions
  5. Create a custom role with admin_group_member checked, based on guest. Call it "guest manager"
  6. Go to https://gitlab.com/groups/GROUPNAME/-/group_members and invite attacker_user as "guest manager"

The attack:
7. Log in as attacker_user
8. Create a new group called attacker_group
9. Go to https://gitlab.com/groups/private_ultimate_group/-/group_members

Scenario 1

  1. Click "Invite group"
  2. Search for attacker_group and select it. Also select "Role" as owner
  3. Click invite
  4. Refresh the page and the attacker should now be owner of the group with full owner access

Scenario 2

  1. Find existing group member (it can be attacker's second account they added as guest)
  2. Change it to any role higher than guest, eg. owner
  3. Refresh the page and the existing member should now be owner of the group with full owner access
Impact

Privilege escalation from low custom role to group owner

What is the current bug behavior?

Custom role users can invite groups at higher role level than itself

What is the expected correct behavior?

Custom roles should only be allowed to invite groups at max their own level

Output of checks

This bug happens on GitLab.com

Impact

Privilege escalation from low custom role to group owner

Impact

Privilege escalation from low custom role to group owner

How To Reproduce

Please add reproducibility information to this section:

Edited by Jarka Košanová