Skip to content

Guest with manage group access tokens can rotate and see group access token with owner permissions

Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #2356976 by ashish_r_padelkar on 2024-02-06, assigned to @rshambhuni:

Report | How To Reproduce

Report

Summary

It is possible for guest with custom role of manage group access tokens to rotate access token of group owner privileges using this vulnerability.

Steps to reproduce

1.1.Create a group (with ultimate licence trial).
2.Create a group access token with owner role and api scope at https://Yourinstance/groups/groupjan2024/-/settings/access_tokens
3.Now use your personal access token to create a custom role of guest role with manage_group_access_tokens permission.

curl --request POST --header "Content-Type: application/json" --header "Authorization: Bearer glpat-1233" --data '{"name" : "Custom guest1", "base_access_level" : 10, "manage_group_access_tokens" : true}' "http://Yourinstance/api/v4/groups/34/member_roles"

4.Now apply this custom role to group member at https://Yourinstance/groups/groupjan2024/-/group_members.
5.Login as above member and you see that you can see the group access token entry at https://Yourinstance/groups/groupjan2024/-/settings/access_tokens but cant see the token itself.
6.Now use below curl to rotate the token.

curl --request POST --header "PRIVATE-TOKEN: glpat-123" "http://Yourinstance/api/v4/groups/34/access_tokens/13/rotate"

PRIVATE-TOKEN is your personal token which can be created at https://Yourinstance/-/user_settings/personal_access_tokens
access_tokens ID (in this case, its 13) can be obtained from http://Yourinstance/api/v4/groups/34/access_tokens
7.Response will show you the token which has owner permission despite you having just guest role.

What is the current bug behavior?

Guest with manage group access tokens can rotate and see group access token with owner permissions

What is the expected correct behavior?

Guest with manage group access tokens can rotate but shouldn't see the group access token with higher permissions

Output of checks

Gitlab enterprise ultimate 16.8
creation of group access tokens are not enabled on gitlab.com yet

Regards,
Ashish

Impact

Guest with manage group access tokens can rotate and see group access token with owner permissions

How To Reproduce

Please add reproducibility information to this section:

Edited by Rohit Shambhuni