Skip to main content

Public

Project privacy set to public. By default, its content is available to everyone (authenticated or not). Please note that more restrictive permissions might exist on some items.

    •  
      request #37545 Deleting or moving an artifact can delete values from unrelated artifacts
    Actions
    Infos
    #37545
    Thomas Gerbet (tgerbet)
    2024-05-07 11:10
    2024-03-28 16:09
    39156
    Details
    Deleting or moving an artifact can delete values from unrelated artifacts

    Moving or deleting an artifact can lead to the removal of information on other unrelated artifacts on the instance.

    Impact

    A malicious user could exploit this issue on purpose to delete information on the instance. It is however not possible to control exactly which information is deleted.

    Information from the following fields can be impacted:

    • Date
    • File
    • Float
    • Int
    • List (checkbox, selectbox, radio button, multi-selectbox)
    • OpenList
    • Text
    • String
    • Permissions on artifact (for the history visualization, actual permissions are not affected, see details below)

    Issue is present since Tuleap 14.11.99.34 (git #tuleap/stable/7f2e5e974596196bd96c2146c533353ecbcc592f)

    CVSSv3.1 score: 7.1 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L)

    Details on the "Permissions on artifact" field

    Data stored in the tracker_changeset_value_permissionsonartifact database table can be affected by this issue. This affects features such as the diff of values in changeset history, CSV export, REST API and webhooks data, etc.
    However, the set of permissions that are currently enforced for a given artifact are stored in another database table named permissions which is not affected by this issue. As a result, there are two possible cases for an artifact where the "Permissions on artifact" value has been affected by this issue:

    1. If the "Permissions on artifact" value has never changed since the affected value, the permissions that had been set are still in effect. User groups that had permission to see the artifact can still see it, user groups that did not have permission are still rejected. Confidentiality is preserved, but changeset history, CSV export, REST API will have a gap for this field.
    2. If the "Permissions on artifact" value has changed (or will change) since the affected value, the new permissions will apply as usual. Confidentiality is preserved.

    References

    CWE-440
    CVE-2024-30246

    Acknowledgements

    This issue was identified and reported by Guilhem Bonnefille from CS Group.

    Trackers
    All
    Empty
    • [ ] enhancement
    • [ ] internal improvement
    Empty
    Stage
    Thomas Gerbet (tgerbet)
    Closed
    2024-03-29
    Attachments
    Artifact links

    Releases

    Fixed in

    Artifact ID Project Tracker Summary Status Last Update Date Submitted By Assigned to
    rel #36797 Tuleap Releases 15.8 Delivered 2024-04-24 13:48 Manuel Vacelet (vaceletm)
    By Thomas Gerbet (tgerbet)
    (2 MB)
    CVE-2024-30246_14490449103aee2.phar
    Tool to identify and possibly repair corrupted data
    References
    Referencing request #37545

    Artifact Tracker v5

    request #37592 Mitigate risks of data loss in DB

    Git commit

    tuleap/tuleap/stable

    fix: request #37545 Deleting or moving an artifact can delete values from unrelated artifacts a0ba0ae82a
    User avatar Thomas Gerbet (tgerbet) , 2024-03-28 17:34
    Merge commit 'refs/changes/85/30785/3' of ssh://gerrit.tuleap.net:29418/tuleap into HEAD 04e68bbe7c
    User avatar Joris MASSON (jmasson) , 2024-03-29 10:54
    feat: Attempt to identify and fix changesets affected by CVE-2024-30246 8881e29531
    User avatar Joris MASSON (jmasson) , 2024-04-19 09:38
    fix: CVE-2024-30246 correction tool should output a valid SQL file 6bba89c349
    User avatar Thomas Gerbet (tgerbet) , 2024-04-19 10:59
    feat: CVE-2024-30246 correction tool now allows to set all DB options 29e105c85a
    User avatar Thomas Gerbet (tgerbet) , 2024-04-19 11:53
    fix: Avoid to display info that can be misinterpreted when running `CVE-2024-30246.phar identify` d55f7de254
    User avatar Thomas Gerbet (tgerbet) , 2024-04-26 10:17
    Display settings

    Follow-ups

    User avatar
    Thomas Gerbet (tgerbet)2024-04-19 14:41
    last edited by: Thomas Gerbet (tgerbet) 2024-05-07 11:11

    Attaching a tool (git #tuleap/stable/8881e29531b0d65f9b70562af10178df83206d59) to help identify and retrieve corrupted data from a backup. The tool works in 2 steps.
    The first step is expected to be executed against the current production DB of a Tuleap instance. It will try to identify changeset values that might have been affected by the issue. It will output something looking like that:

    $> /opt/remi/php82/root/usr/bin/php ./CVE-2024-30246_14490449103aee2.phar identify --dbhost=127.0.0.1 --dbname=tuleap --dbusername=tuleapadm --output-file=/path/to/write/suspected_changeset_values_document.json
Password for DB user 'tuleapadm':
Searching...
Maximum changeset_id = '20415'
Submission date of the last affected changeset: '2018-04-16T15:52:00+00:00'
Estimated date of update to Tuleap higher than 14.11 = '2023-09-07 07:13:50'
Submission date of the last affected changeset for complex fields: '2018-06-01T08:26:33+00:00'
Estimated date of update to Tuleap higher than 14.11 = '2023-09-07 07:13:50'
End of report

    The second part of the tool will use the document that has been generated by the first one to generate SQL queries to fix the corrupted values. The second part of the tool must be executed against a restored backup of the DB. You will want to restore a backup around the indicated date of the 14.11 upgrade to restore corrupted values created before this date.

    $> /opt/remi/php82/root/usr/bin/php ./CVE-2024-30246_0ab35aa8b09.phar retrieve --dbhost=127.0.0.1 --dbname=tuleap_backup --dbusername=tuleapadm --input-file=/path/to/suspected_changeset_values_document.json --output-file=/path/to/write/sql_queries.sql
Password for DB user 'tuleapadm':
Checking text fields...
Checking list fields...
Checking computed fields...
Checking float fields...
Checking int fields...
Checking date fields...
Checking file fields...
Checking openlist fields...
Checking artifact link fields...
Checking permissions on artifact fields...

    The generated SQL file can then be applied on your current production DB.

    • Attachments CVE-2024-30246_0ab35aa8b09.phar added
    User avatar
    Thomas Gerbet (tgerbet)2024-04-19 10:46

    Adjusting the CVSS score with the additional details on the "permissions on artifact" field

    • Original Submission
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes
    User avatar
    Guilhem Bonnefille (CS) (gbonnefille)2024-04-04 08:41

    As a reminder, here is the script I imagined to retrieve lost data from a live MySQL backup, providing the missing Artifact Changeset as argument:

    #!/bin/sh

#
# For authentication, set $MYSQL_PWD
#

CHANGESETS=`echo $* | tr ' ' ','`

IDS=`mysql -u tuleapadm -B -N -e "SELECT id FROM tracker_changeset_value WHERE changeset_id IN ($CHANGESETS)" tuleap | tr '\n' ',' | sed 's/,$//'`

for table in tracker_changeset_value_artifactlink tracker_changeset_value_computedfield_manual_value tracker_changeset_value_date tracker_changeset_value_file tracker_changeset_value_float tracker_changeset_value_int tracker_changeset_value_list tracker_changeset_value_openlist tracker_changeset_value_permissionsonartifact tracker_changeset_value_text
do
  mysqldump -u tuleapadm -y -n -t tuleap $table --where "changeset_value_id in ($IDS)"
done
    User avatar
    Joris MASSON (jmasson)2024-04-02 15:36

    Added details on the impacts for the "Permissions on artifact" field.

    • Original Submission
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes
    User avatar
    Joris MASSON (jmasson)2024-03-29 17:38

    Added "String" field type and added details for List field types

    • Original Submission
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes
    User avatar
    Thomas Gerbet (tgerbet)2024-03-29 17:37
    • Original Submission
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes
    User avatar
    Thomas Gerbet (tgerbet)2024-03-29 15:25

    CVE-2024-30246 has been assigned to this issue.

    • Original Submission
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes
    User avatar
    Thomas Gerbet (tgerbet)2024-03-29 12:26
    • Original Submission
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes
    User avatar
    Thomas Gerbet (tgerbet)2024-03-29 08:35

    Flagging this as an security issue since it impacts data integrity and there is at least one offensive scenario where a bad actor can exploit it to wreak havoc on purpose.

    @gbonnefille Is it fine if we credit you and CS Group in the advisory?

    User avatar
    Thomas Gerbet (tgerbet)2024-03-28 16:42

    See gerrit #30785

    • Summary
      -Deleting an artifact can delete values from unrelated artifact 
      +Deleting or moving an artifact can delete values from unrelated artifacts 
    • Original Submission
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes
    • Status changed from Under implementation to Under review
    User avatar
    Guilhem Bonnefille (CS) (gbonnefille)2024-03-28 16:34

    Furthermore, as the deletion did not select the right elements, the database also contains orphans 'values'. We can find them with:

    SELECT * FROM tracker_changeset_value_all vv
WHERE NOT EXISTS (SELECT id FROM tracker_changeset_value v WHERE v.id = vv.changeset_value_id);
    User avatar
    Guilhem Bonnefille (CS) (gbonnefille)2024-03-28 16:18
    last edited by: Guilhem Bonnefille (CS) (gbonnefille) 2024-03-28 16:24

    It is possible to identify the affected changesets with the following SQL requests:

    CREATE TEMPORARY TABLE tracker_changeset_value_all (PRIMARY KEY my_pkey (changeset_value_id)) SELECT * FROM (
SELECT changeset_value_id FROM
tracker_changeset_value_artifactlink
UNION
SELECT changeset_value_id FROM tracker_changeset_value_computedfield_manual_value
UNION
SELECT changeset_value_id FROM tracker_changeset_value_date UNION   SELECT changeset_value_id FROM tracker_changeset_value_file UNION   SELECT changeset_value_id FROM tracker_changeset_value_float
UNION
SELECT changeset_value_id FROM tracker_changeset_value_int UNION   SELECT changeset_value_id FROM tracker_changeset_value_list
UNION
SELECT changeset_value_id FROM tracker_changeset_value_openlist UNION   SELECT changeset_value_id FROM tracker_changeset_value_permissionsonartifact
UNION
SELECT changeset_value_id FROM tracker_changeset_value_text ) AS foo;

SELECT c.id, FROM_UNIXTIME(c.submitted_on), c.artifact_id, a.id, a.tracker_id, t.name, g.group_name FROM tracker_changeset c
LEFT JOIN tracker_artifact a ON c.artifact_id = a.id
LEFT JOIN tracker t ON t.id = a.tracker_id
LEFT JOIN groups g ON g.group_id = t.group_id
WHERE NOT EXISTS (SELECT cv.id FROM tracker_changeset_value cv WHERE c.id = cv.changeset_id AND EXISTS (SELECT * FROM tracker_changeset_value_all WHERE changeset_value_id = cv.id)) AND NOT EXISTS (SELECT * FROM tracker_changeset_comment cm WHERE c.id = cm.changeset_id) ;