Maintainer user can view and assign members to custom roles(New feature) on gitlab.com [ Privilege escalation ]
HackerOne report #2277810 by indoappsec
on 2023-12-08, assigned to @cmaxim:
Report | Attachments | How To Reproduce
Report
Summary :
In recent releases gitlab.com has introduced custom group level roles . Creating , deleting , assigning custom roles to members etc. can only be done by Owner of the group.
In my testing i found normally maintainer role users are not able to access custom roles but if they add new member in the project , they start accessing the custom roles and also assign members to custom roles which is only allowed by group owner.
Permission and documentation :
https://docs.gitlab.com/ee/user/permissions.html
https://docs.gitlab.com/ee/user/custom_roles.html
Steps to reproduce :
You will need 2 accounts to reproduce the issue.
1.Login owner account , create a group and take a ultimate trial license.
2.Now create a new project. (Ex: owner project )
3.Now go to groups -- > settings -- > roles and permissions .
4.Create few custom roles for testing.
5.Now go to group -- > members .
6.Add a test user with maintainer role.
7.Now login from test user account and you will notice that this user doesn't have access to custom roles.
8.Now go to owner project -- > members.
9.Since you are maintainer you can add new members .
10.Add a new member with any role. (Ex: test 2 user )
11.Once the test 2 user is added , you will notice that you are able to view the custom roles through permission list of new user.
12.Now you can assign test 2 user with custom roles which is only allowed by owner of the group/project.
Video POC :
I have created a small POC for demonstration .
custom_role_gitlab.mov
Output of checks :
This bug happens on GitLab.com
Impact
Maintainer user can view and assign members to custom roles(New feature) on gitlab.com
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
How To Reproduce
Please add reproducibility information to this section: