Skip to main content

Public

Project privacy set to public. By default, its content is available to everyone (authenticated or not). Please note that more restrictive permissions might exist on some items.

    •  
      request #11192 Filters set in tracker reports are vulnerable to SQL injections
    Actions
    Infos
    #11192
    Thomas Gerbet (tgerbet)
    2018-03-05 18:11
    2018-02-26 13:52
    11531
    Details
    Filters set in tracker reports are vulnerable to SQL injections

    Tuleap does not sanitize properly user inputs when constructing SQL queries for a tracker report when a criteria is a cross reference or a permissions on artifact field.

    Impact

    An attacker with access to a tracker report could execute arbitrary SQL queries.
    CVSSv3 score: 9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

    Exploitation

    Using a select box bound to a user group, select None and use ) as the second sent value (intercept and modify the request to do it), you will get a DB error caused by the resulting broken query and the lack of proper escaping.

    Credits

    Thank you to Cristiano Maruti (@cmaruti) for reporting and coordinate with us the disclosure of this issue.

    References

    CVE-2018-7538

    CWE-89
    https://www.owasp.org/index.php/SQL_Injection

    Trackers
    All
    Empty
    • [ ] enhancement
    • [ ] internal improvement
    Empty
    Stage
    Empty
    Closed
    2018-02-27
    Attachments
    Artifact links

    Releases

    Fixed in

    Artifact ID Project Tracker Summary Status Last Update Date Submitted By Assigned to
    rel #10968 Tuleap Releases 9.18 Delivered 2018-03-07 14:19 Manuel Vacelet (vaceletm)
    Empty
    References
    Referencing request #11192

    Artifact Tracker v5

    request #11208 Can not filter a tracker report on last modified by or submitted by
    request #11264 Fatal error when a tracker report filters a list bound to ugroups

    Git commit

    tuleap/tuleap/stable

    Merge commit 'refs/changes/82/10682/7' of ssh://gerrit.tuleap.net:29418/tuleap into HEAD e14a87fe10
    User avatar Nicolas Terray (nterray) , 2018-02-27 13:57
    request #11192: Filters set in tracker reports are vulnerable to SQL injections 098b5b68dc
    User avatar Thomas Gerbet (tgerbet) , 2018-02-27 10:19
    Referenced by request #11192

    Artifact Tracker v5

    rel #10968 9.18

    Other

    gerrit #10682
    Display settings

    Follow-ups

    User avatar
    Thomas Gerbet (tgerbet)2018-02-28 11:00
    CVE-2018-7538 has been assigned to this vulnerability.
    • Original Submission
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes
    User avatar
    Thomas Gerbet (tgerbet)2018-02-28 10:58
    Add credits and disclosure date.
    • Original Submission
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes