Reporter with admin_group_member can delete issues
HackerOne report #2861889 by yuki_osaki on 2024-11-23, assigned to GitLab Team:
Report | Attachments | How To Reproduce
Report
There is a security vulnerability where a user with Admin Group Member based on reporter can delete issues (including confidential ones) by inviting a user with the ** Planner** role. Since Planners are permitted to delete issues, any user who can invite Planners can delete issues. Prior to the addition of the Planner role’s permissions, only Owners were allowed to delete issues. However, due to this change, users with the Reporter role with Admin Group Member permission and Maintainers—who can invite Planners who is created or controlled by the attacker but are not supposed to delete issues—now can delete issues.This is a privilege escalation, allowing lower-privileged users to perform actions reserved for higher-privileged roles.
Note
GitLab treats privilege escalation via admin_group_member permissions seriously. Similar issues have been addressed in past releases:
so this one should be valid as well
- User with admin_group_member permission can ban group members
https://about.gitlab.com/releases/2024/07/10/patch-release-gitlab-17-1-2-released/
Description
GitLab recently introduced the ** Planner** role:
!169256 (merged)
In this change, the Planner role was granted the destroy_issue permission:
!169256 (diffs)
app/policies/group_policy.rb
rule { planner }.policy do
enable :planner_access
enable :guest_access
enable :admin_label
enable :admin_milestone
enable :admin_issue_board
enable :admin_issue_board_list
enable :admin_issue
enable :update_issue
enable :destroy_issue
enable :read_confidential_issues
enable :read_crm_organization
enable :read_crm_contact
end Previously, the ability to delete issues (destroy_issue) was permitted only to the Owner role. With this change:
• ** Planner** can now delete issues.
Users with the ability to manage group members (like Reporters with Admin Group Member permission) can indirectly delete issues by inviting Planner.
This leads to privilege escalation, where users with lower permissions can perform actions that were previously restricted to higher-privileged roles.
how to reproduce
1. Create a group
2. Enable the Enterprise plan for the created group.
3. Within the group, create a new project. and add a confidential issue to the project.
4. Set up a custom role based on the Reporter role, granting it Admin Group Member permissions.
5. Invite an attacker (e.g., member1111**) to the group with the custom role**
Add the attacker to the group using the newly created custom role.
6. Confirm the attacker cannot delete the issue
Verify that the attacker (member1111) does not have permission to delete issues.
7. The attacker invites a user with the Operator role
The attacker invites a user with the Operator role (e.g., member22222). Assume this user is controlled or designated by the attacker.
8. Confirm that the operator can delete the issue
Verify that the operator (member22222) is able to delete the issue.
• Result:
The ability for an Admin Group Member based on the Reporter role to invite an Operator and indirectly delete issues. It allows for privilege escalation.
Impact
Reporter with admin_group_member can delete issues
What is the current bug behavior?
Reporter with admin_group_member can delete issues
What is the expected correct behavior?
Reporter with admin_group_member can not delete issues
Output of checks
This bug happens on GitLab.com
Impact
Reporter with admin_group_member can delete issues
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
How To Reproduce
Please add reproducibility information to this section: