user with guest role is able to view the subscription details of a group

⚠️ Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #2984457 by iamgk808 on 2025-02-09, assigned to @cmaxim:

Report | Attachments | How To Reproduce

Report

Summary

According to the documentation, only users with the owner role can see the subscription details
image.png

Steps to reproduce

victim steps

  1. Create a public group called group-1.

  2. Go to group-1 billing and apply the GitLab Ultimate trial to it and below you can see the subscription details
    Screenshot_2025-02-09_125938.png

  3. Go to the Group Members section and add a new user called attacker-1 with a guest role
    image.png

Attacker-1 Steps

  1. Log in as attacker-1
  2. open this URL https://gitlab.com/api/v4/namespaces/99955773 where 99955773 is the group id

image.png

  1. it discloses details like billable_members_count, seats_in_use, max_seats_used, end_date (means the subscription end date)
    Screenshot_2025-02-09_125354.png
Impact

it discloses details like billable_members_count, seats_in_use, max_seats_used, end_date (means the subscription end date)

Examples

https://gitlab.com/groups/group-2025/-/billings

What is the current bug behavior?

user with the guest role is able to view the subscription details of a group

What is the expected correct behavior?

only users with the owner role can see the subscription details

Relevant logs and/or screenshots
Output of checks

This bug happens on GitLab.com

Impact

it discloses details like billable_members_count, seats_in_use, max_seats_used, end_date (means the subscription end date)

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

How To Reproduce

Please add reproducibility information to this section: