Skip to main content

Public

Project privacy set to public. By default, its content is available to everyone (authenticated or not). Please note that more restrictive permissions might exist on some items.

    •  
      request #39728 Trackers are listed in the quick add actions of the backlog without any permissions check
    Actions
    Infos
    #39728
    Sandra Echinard (sechinard)
    2024-10-14 09:38
    2024-09-26 15:09
    41355
    Details
    Trackers are listed in the quick add actions of the backlog without any permissions check

    Impact

    Users might see tracker names they should not have access to.

    CVSSv3.1 score: 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

    Exploitation

    Have a user that cannot access a tracker and have this tracker in list of items of items that can be planned in your Backlog service.

    The action "+ Add ..." shouldn't be displayed in the backlog.

    References

    CWE-280
    CVE-2024-47767

    Agile Dashboard
    Empty
    Empty
    • [ ] enhancement
    • [ ] internal improvement
    Empty
    Stage
    Nicolas Terray (nterray)
    Closed
    2024-09-30
    Attachments
    Artifact links

    Releases

    Fixed in

    Artifact ID Project Tracker Summary Status Last Update Date Submitted By Assigned to
    rel #37898 Tuleap Releases 16.0 Delivered 2024-10-09 15:47 Manuel Vacelet (vaceletm)
    By Sandra Echinard (sechinard)
    (77 kB)
    image.png
    References
    Referencing request #39728

    Git commit

    tuleap/tuleap/stable

    fix: request #39728: If a user does not have access at all to a tracker, it should not be displayed in the backlog. f89d7093d2
    User avatar Nicolas Terray (nterray) , 2024-09-30 15:16
    Merge 'gerrit #32061' into stable/master 2607e5080b
    User avatar Thomas Gerbet (tgerbet) , 2024-09-30 16:54
    fix: request #39728: If a user does not have access at all to a tracker, it should not be displayed in the backlog. 16d9efccb2
    User avatar Nicolas Terray (nterray) , 2024-10-01 16:11
    Merge 'gerrit #32065' into stable/master e5785ab73d
    User avatar Thomas Gerbet (tgerbet) , 2024-10-02 09:45
    fix: request #39728: If a user does not have access at all to a tracker, it should not be displayed in the backlog 47610dde65
    User avatar Nicolas Terray (nterray) , 2024-10-02 17:59
    Merge 'gerrit #32082' into stable/master 4d26e7fd8b
    User avatar Thomas Gerbet (tgerbet) , 2024-10-03 15:25
    fix: request #39728: If a user does not have access at all to a tracker, it should not be displayed in the backlog e5ce812797
    User avatar Nicolas Terray (nterray) , 2024-10-03 10:51
    Revert "fix: request #39728: If a user does not have access at all to a tracker, it should not be displayed in the backlog" a636c1d975
    User avatar Thomas Gerbet (tgerbet) , 2024-10-03 15:41
    Merge commit 'gerrit #32082' into stable/master 00eeb2e0dd
    User avatar Thomas Gerbet (tgerbet) , 2024-10-03 15:41
    Referenced by request #39728

    Artifact Tracker v5

    rel #37898 16.0

    Other

    gerrit #32061
    Display settings

    Follow-ups

    User avatar
    Thomas Gerbet (tgerbet)2024-10-04 17:14

    CVE-2024-47767 has been assigned to this issue.

    • Original Submission
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes
    User avatar
    Thomas Gerbet (tgerbet)2024-09-30 17:10
    • Summary
      -If a user does not have access at all to a tracker, it should not be displayed in the backlog. 
      +Trackers are listed in the quick add actions of the backlog without any permissions check 
    • Original Submission
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes
    • Category changed from Trackers to Agile Dashboard
    • Status changed from Under review to Closed
    • Connected artifacts
    • Close date set to 2024-09-30
    User avatar
    Nicolas Terray (nterray)2024-09-30 15:16
    • Summary
      -If a user does not have access at all to a tracker, it should be displayed in the backlog. 
      +If a user does not have access at all to a tracker, it should not be displayed in the backlog.