User's permissions are not properly verified when listing artifacts in a report.
Impact
A user can use this to access information he not have access to.
CVSSv3 score: 4.3 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
Exploitation
- Create user group in a project: A, B, and C
- In A, add User1
- In B, add User2
- In C, add User1 and User2
- In a tracker permissions:
- A: access to all artifacts submitted by group
- B: access to all artifacts submitted by group
- C: no access
- User1 submit and artifact
=> User2 should not see the artifact in the tracker report
See https://tuleap.net/plugins/forumml/message.php?group_id=101&topic=39577&list=1
References
CWE-280