Guest user with "Admin group member" permission can edit custom role and gain other custom permissions

⚠ Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #2478469 by chotebabume on 2024-04-25, assigned to @greg:

Report | Attachments | How To Reproduce

Report

NOTE! Thanks for submitting a report! Please note that initial triage is handled by HackerOne staff. They are identified with a HackerOne triage badge and will escalate to the GitLab team any. Please replace all the (parenthesized) sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report!

Summary

(Summarize the bug encountered concisely)

Hi team ,

Gitlab recently add that group owner can assign multiple feature permission on single custom role see here -

As Group Owner I created A custom role with all additional permission -

bandicam_2024-04-25_10-53-28-598.mp4

As Owner also create a custom role for add group member as level "guest role" on his group so if owner assign this add group member custom to a user then that user only was able to add member on victim group as " guest user role "

But I found there was a misconfiguration first group owner only created custom role with single permission "add group member" and assign to a user later group decided to increase permission on that custom role so he increase all permission on that custom role .

then there should be error in member tab for users to once update his user's role because these permission directly applies on first single custom role user

so exploiting this misconfiguration attacker first add his second account as "guest" role on victim user group later he change his second account role to custom role which was created from owner later if owner add that custom role with all multiple feature permission then attacker can make it privilege escalation on victim user group .

Steps to reproduce

(Step-by-step guide to reproduce the issue, including:)

(1. As Owner create a group
(2. As Owner navigate >settings >roles_and_permissions
(4. create custom role "add group member" base role "guest"
(5. now add userB on group and assign custom role "add group member"
(6. so that custom role userB should able to add group member's with guest role on victim user group
(7. now as custom role userB add his second account as guest role on victim user group
(8. now UserB change his second account user role to victim user custom role user
(9. later if owner add multiple permission to that custom role > that permission directly applies to old user with single permission custom role

here video poc -

bandicam_2024-04-25_11-47-07-176.mp4

Impact

new additional permission should be applied to when owner add new user with that custom role and update user role not directly give access to old user with single permissions.

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

• bandicam_2024-04-25_10-53-28-598.mp4
• image.png
• bandicam_2024-04-25_11-47-07-176.mp4

How To Reproduce

Please add reproducibility information to this section: