New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Robot account update robot account without creator might cause privilege escalation #21026

Closed

stonezdj opened this issue Oct 10, 2024 · 1 comment

Assignees

Labels

Contributor

stonezdj commented Oct 10, 2024

Steps to reproduce:

Create a robot account A(project level), and grant permission robot (create/delete/update/list)
Use the robot account A to create robot account B, B has permission robot (create/delete/update/list)
Use the robot account B to create robot account C, C has permission robot (create/delete/update/list)
Delete robot account B, then robot account A can update robot account C. and grant account C with excessive permission, such as accessory list

When the robot account's creator is removed, the update operation should be limited or disabled.

wy65701436 self-assigned this

wy65701436 added the target/2.12.0 label

Contributor

wy65701436 commented Oct 18, 2024

close it as fixed by #21028

wy65701436 closed this as completed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment