request #26816 Resources of private projects can be accessed by non project members

Artifact

Infos

Artifact ID#26816

Submitted byThomas Gerbet (tgerbet)

Last Modified On2022-06-29 10:50

Submitted on2022-05-20 11:12

Rank28338

Details

Summary *

Resources of private projects can be accessed by non project members

Original Submission

Authorizations are not properly verified when creating projects or trackers from projects marked as templates.

Impact

Users can get access to information in those template projects because the permissions model is not properly enforced.

CVSSv3.1 score: 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

Exploitation

As a non member of a private template project create a new project from it
As a user that cannot see a tracker in a template project, create a new tracker from it

References

CWE 285
CVE-2022-31032

CategoryOther

Reported in versionAll

PlatformEmpty

Is an Enhancement or an internal improvement?

[ ] enhancement
[ ] internal improvement

CC listEmpty

Stage

Assigned toLorentz Romain (lorentzr)

StatusClosed

Close date2022-06-21

Attachments

Connected artifacts

Artifact links

Releases

Fixed in

	Artifact ID	Project	Tracker	Summary	Status	Last Update Date	Submitted By	Assigned to
	rel #25714	Tuleap	Releases	13.10	Delivered	2022-06-22 10:19	Manuel Vacelet (vaceletm)

Reverse artifact links

Empty

AttachmentsEmpty

References

Cross references

Referencing request #26816

Git commit

tuleap/tuleap/stable

Revert "request #26785 Project creation can be broken if the template is private" 8e49b0a8ef

Lorentz Romain (lorentzr) , 2022-05-23 10:34

Merge commit 'refs/changes/79/25979/8' of ssh://gerrit.tuleap.net:29418/tuleap into HEAD cc38bcc59c

Nicolas Terray (nterray) , 2022-06-06 14:20

request #26816 Resources of private projects can be accessed by non project members 7e221a9d18

Lorentz Romain (lorentzr) , 2022-06-02 11:14

Clean-up unused properties d7d9a542c2

Thomas Gerbet (tgerbet) , 2022-06-07 09:34

Show items referenced by request #26816

Referenced by request #26816

Artifact Tracker v5

rel #25714 13.10

Other

gerrit #25979

gerrit #26079

Follow-ups

Thomas Gerbet (tgerbet)

2022-06-29 10:50

Public disclosure.

Thomas Gerbet (tgerbet)

2022-06-21 10:18

CVE-2022-31032 has been assigned to this issue.

Original Submission

Something went wrong, the follow up content couldn't be loaded

Only formatting have been changed, you should switch to markup to see the changes
Status changed from Under implementation to Closed
Connected artifacts
- Added Fixed in: rel #25714
Close date set to 2022-06-21

Yannis ROSSETTO (rossettoy)

2022-06-07 11:17

gerrit #26079 (Clean-up unused properties) integrated into Tuleap 13.9.99.65

Nicolas Terray (nterray)

2022-06-06 14:21

gerrit #25979 integrated into Tuleap 13.9.99.58

Lorentz Romain (lorentzr)

2022-05-20 14:23

Status changed from Verified to Under implementation
Assigned to changed from None to Lorentz Romain (lorentzr)