๐ GitLab: Adding everyone to the repo due to the lack of rate limit
๐ก Newskategorie: Sicherheitslรผcken
๐ Quelle: vulners.com
Summary Since there is no rate limit in the inviting users to the repository section, it is possible to add all users on gitlab to a repository. Steps to reproduce (Step-by-step guide to reproduce the issue, including:) Create a repository go to the project members section choose a random user before clicking the invite button, we need to capture the request with the burp suite.. โโโโโโโ Send it to the Intruder module, specify the โโโโโ field here between 1 and 7006996 and send the request. Impact It is possible to collect all users on Gitlab in a single repository, so users' mailboxes will be filled with notifications. Note Because the rate limit is out of scope, I tested it and I could not stop the python script, and there were users affected. Impact It is possible to collect all users on Gitlab in a single repository, so users' mailboxes will be filled with... ...