Impact

Privilege Escalation via user permissions. Users in an existing group with "maintainer" permissions are permitted to add user to group - but this group addition is not limited to their permission - i.e. a user can add someone (or readd themselves) as an "owner" to the group, and benefit from any additional permissions.

Additionally, when a new group is created, a user is assigned the owner role within this new group. The permission of adding a group to a project was maintainer. This allowed users with the role of maintainer to add groups to projects, which would allow a user with maintainer to elevate their permission to owner by simply creating a new group and assigning the group to the project they are maintainer of. This has also been changed to owner role.

Patches

The permission level required to add user to a group has been set at "owner" or above in Lagoon v2.15.2
The permission level required to add groups to project has been set at "owner" or above in Lagoon v2.15.2

Workarounds

Keycloak administrators can modify the keycloak permission directly at
{Keycloak Lagoon Realm} > Clients > api > Authorization > Permissions > "Add User to Group" and select the "[Lagoon] Users role for group is Owner" policy to apply, remove the existing "maintainer" one, and save.

{Keycloak Lagoon Realm} > Clients > api > Authorization > Permissions > "Add Groups to Project" and select the "[Lagoon] Users role for project is Owner" policy to apply, remove the existing "maintainer" one, and save. (This permission also has a secondary policy of [Lagoon] User has access to project which should remain.

References

Are there any links users can visit to find out more?