GitLab Group Maintainers Privilege Escalation: Unauthorized Runner Editing

Key Information Summary Issue Title: Group Maintainers can edit group runners Created Date: May 18, 2019 Status: Closed Severity: 3 Labels: - Category: Continuous Integration - Deliverable - HackerOne - devops - verify - group - pipeline execution - production Vulnerability Description Summary: For group maintainers, the settings page is not visible, so they cannot create group runners. According to documentation, group maintainers have sufficient permissions to create group runners. However, the decision was made not to allow group maintainers to create group runners. Nevertheless, group maintainers can still update existing group runners. Steps to reproduce: 1. As a group maintainer, the page is not visible. 2. Navigate to any project within the group; group runners are visible, but the full token cannot be seen, nor can they be edited. The runner ID can be viewed. 3. Copy the runner ID and navigate directly to to view the full details of the group runner and even edit and save changes. Current bug behavior: Group maintainers can edit group runners, which appears incorrect from a UI perspective, especially considering recent changes that prevent maintainers from viewing group CI/CD settings. Expected behavior: Group maintainers should not be able to edit group runners, which is inconsistent with current permission settings and documentation.

Goal Reached Thanks to every supporter — we hit 100%!

GitLab Group Maintainers Privilege Escalation: Unauthorized Runner Editing