Access Projects And create projects in gitlab pre production server
Discovered by uzsunny on Gitlab

This issue took 6 Days and 18 hours to triage and 0 Days and 21 hours to close the report once triaged.



Steps to reproduce

Go to https://pre.gitlab.com

Here any one can register and can view the pre production projects of gitlab developers.

I have registered in https://pre.gitlab.com/users/sign_in

and have created one test group and test project

go to https://pre.gitlab.com/explore/groups

i have created one test group

{F470509}

And i have created one test project

{F470510}

I went to look for gitlab project members https://pre.gitlab.com/qa-perf-testing/gitlabhq/project_members

I have seen it was created by your gitlab employee Ramya Authappan

https://pre.gitlab.com/rauthappan

The attacker not only access the internal projects of gitlab but he can also create groups and projects in pre production server of gitlab.

Impact

Attacker will access the pre production server of gitlab and he access the groups and projects created by gitlab employees.

Attacker will also create the projects and groups in pre production server of gitlab.