CVE-2020-11649

Vulnerability

In GitLab Community Edition (CE) and Enterprise Edition (EE) versions 8.15 through 12.9.2, when a group is deleted, the group's members were not properly removed from associated projects and resources. This allowed former group members to retain access to group-owned projects and other resources even after the group was deleted. The issue affects all versions in the range 8.15 to 12.9.2 inclusive.

Exploitation

An attacker who was a member of a group could continue to access group resources after the group was deleted. No additional authentication or privileges are required beyond being a member of the group before deletion. The exploitation occurs when a group is deleted but the member's access rights are not revoked, allowing continued access to projects, issues, merge requests, and other resources that were previously shared with the group.

Impact

Successful exploitation results in unauthorized access to group-owned resources, including potential information disclosure of sensitive project data, source code, and other confidential information. The attacker retains the same level of access they had as a group member, which could include read, write, or admin privileges depending on their role within the group. This violates the expected security boundary that deleting a group should remove all associated access.

Mitigation

The issue is fixed in GitLab version 12.9.3, released on April 14, 2020 [1]. Users should upgrade to 12.9.3 or later. No workaround is available for versions prior to the fix. Users on older versions should upgrade as soon as possible.