Headline
CVE-2021-39876: Endpoint for auto-completing Assignee discloses the members of private groups (#29683) · Issues · GitLab.org / GitLab
In all versions of GitLab CE/EE since version 11.3, the endpoint for auto-completing Assignee discloses the members of private groups.
HackerOne report #627507 by ngalog
on 2019-06-24, assigned to estrike
:
Summary
I have a project, with id 10257668
, and I have invited a private group as a developer to this project. As that group is private, you should not see its membership. However, there is a way to find out project’s private membership:
- Correct permission check: https://gitlab.com/api/v4/projects/:project_id/members - does not disclose private group’s membership.
- Incorrect permission check: https://gitlab.com/autocomplete/users.json?search=&active=true&project_id=10257668¤t_user=true - discloses the members of private group.
Steps to reproduce:
- Login to gitlab.com.
- Visit this project members page: https://gitlab.com/api/v4/projects/10257668/members. See this project has only one member.
- Visit https://gitlab.com/autocomplete/users.json?search=&active=true&project_id=10257668¤t_user=true. See this project has more than one member, thus disclosing the private membership.
Impact
Disclosure of members in a private group.
Proposal
The autocomplete endpoint should use the permission check from the Project Members API endpoint (https://gitlab.com/api/v4/projects/[project-id]/members
).