CVE-2022-1783 An issue was discovered in GitLab CE/EE versions before 14.3, 14.10, and 15.0 before 15.0.1.

In order to achieve this, a malicious group maintainer needs to have access to the group owner’s credentials. The issue has been fixed in version 15.0.2 of GitLab. If you are running an older version, you can upgrade to a newer version, or contact support and we’ll help you upgrade. Due to an issue with the way the REST API for group maintainers works, it’s possible for malicious group maintainers to add new members to projects within their group, even if the group owner has enabled a setting to prevent members from being added to projects within that group. In order to achieve this, a malicious group maintainer needs to have access to the group owner’s credentials. The issue has been fixed in version 15.0.2 of GitLab. If you are running an older version, you can upgrade to a newer version, or contact support and we’ll help you upgrade.

Summary

Due to an issue with the way the REST API for group maintainers works, a malicious group maintainer can add new members to projects within their group, regardless of the group owner's settings. This can result in unwanted people gaining access to sensitive data about your project and company.

How do I know if I’m affected?

If you’re running a version of GitLab that is affected by this issue, you will see the following message in your logs.
"Group maintainer access is granted: see /system/group-managers/group_name/projects"

The issue has been fixed in version 15.0.2 of GitLab. If you are running an older version, you can upgrade to a newer version, or contact support and we’ll help you upgrade.

Description of the vulnerability

GitLab is an open-source project, and many of its features are open source as well. One feature of this application includes support for groups of users that can be used to share and collaborate on projects. When a group is created, allow members to join or leave the group. If a group is private, only the group owner has access to add members or remove them from projects within the group. In GitLab versions 15.0.0-15.0.1, it was possible for malicious group maintainers in some cases to bypass this setting and add new members to projects within their groups by tampering with the REST API for group maintainers .

What is the issue?

We are not aware of any issues with the REST API for group maintainers in GitLab.
This issue has been fixed in version 15.0.2 of GitLab. If you are running an older version, you can upgrade to a newer version, or contact support and we’ll help you upgrade.

Timeline

Published on: 06/06/2022 17:15:00 UTC
Last modified on: 06/13/2022 17:59:00 UTC

References

• https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-1783.json
• https://hackerone.com/reports/1472109
• https://gitlab.com/gitlab-org/gitlab/-/issues/353121
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-1783