Guest with manage group access tokens can rotate and see group access token with owner permissions
HackerOne report #2356976 by ashish_r_padelkar
on 2024-02-06, assigned to @rshambhuni:
Report
Summary
It is possible for guest with custom role of manage group access tokens
to rotate access token of group owner privileges using this vulnerability.
Steps to reproduce
1.1.Create a group (with ultimate licence trial).
2.Create a group access token with owner role and api scope at https://Yourinstance/groups/groupjan2024/-/settings/access_tokens
3.Now use your personal access token to create a custom role of guest
role with manage_group_access_tokens
permission.
curl --request POST --header "Content-Type: application/json" --header "Authorization: Bearer glpat-1233" --data '{"name" : "Custom guest1", "base_access_level" : 10, "manage_group_access_tokens" : true}' "http://Yourinstance/api/v4/groups/34/member_roles"
4.Now apply this custom role to group member at https://Yourinstance/groups/groupjan2024/-/group_members.
5.Login as above member and you see that you can see the group access token entry at https://Yourinstance/groups/groupjan2024/-/settings/access_tokens
but cant see the token itself.
6.Now use below curl to rotate the token.
curl --request POST --header "PRIVATE-TOKEN: glpat-123" "http://Yourinstance/api/v4/groups/34/access_tokens/13/rotate"
PRIVATE-TOKEN
is your personal token which can be created at https://Yourinstance/-/user_settings/personal_access_tokens
access_tokens
ID (in this case, its 13) can be obtained from http://Yourinstance/api/v4/groups/34/access_tokens
7.Response will show you the token which has owner permission despite you having just guest role.
What is the current bug behavior?
Guest with manage group access tokens can rotate and see group access token with owner permissions
What is the expected correct behavior?
Guest with manage group access tokens can rotate but shouldn't see the group access token with higher permissions
Output of checks
Gitlab enterprise ultimate 16.8
creation of group access tokens are not enabled on gitlab.com yet
Regards,
Ashish
Impact
Guest with manage group access tokens can rotate and see group access token with owner permissions
How To Reproduce
Please add reproducibility information to this section: