Skip to main content

Public

Project privacy set to public. By default, its content is available to everyone (authenticated or not). Please note that more restrictive permissions might exist on some items.

    •  
      request #39736 Permissions are incorrectly verified for project administrators in the cross tracker search widget
    Actions
    Infos
    #39736
    Kevin Traini (ktraini)
    2024-10-14 09:38
    2024-10-01 15:31
    41363
    Details
    Permissions are incorrectly verified for project administrators in the cross tracker search widget

    Impact

    Administrators of project can access the content of trackers with permissions restrictions of project they are members of but not admin via the cross tracker search widget.

    CVSSv3.1 score: 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

    Exploitation

    Let's take this scenario:

    • You are admin of Project 1
    • In Project 2 (you are member of it) the field of one tracker is readable only by project admins
    • You try to retrieve fields of trackers from both projects

    TrackersPermissionsRetriever doesn't check the project context so as you are admin of Project 1, you are member of user group ProjectAdmin and the dao consider you can view the field.

    There is the same issue for view permissions on Trackers.

    The impact is located only in the Cross Tracker Search widget.

    References

    CWE-280
    CVE-2024-47766

    Cross tracker search
    All
    Empty
    • [ ] enhancement
    • [ ] internal improvement
    Empty
    Stage
    Kevin Traini (ktraini)
    Closed
    2024-10-03
    Attachments
    Artifact links

    Releases

    Fixed in

    Artifact ID Project Tracker Summary Status Last Update Date Submitted By Assigned to
    rel #37898 Tuleap Releases 16.0 Delivered 2024-10-09 15:47 Manuel Vacelet (vaceletm)
    Empty
    References
    Referencing request #39736

    Git commit

    tuleap/tuleap/stable

    fix: request #39736 Project administrator can see fields of another project 529d11b707
    User avatar Kevin Traini (ktraini) , 2024-10-03 10:53
    Merge commit 'refs/changes/64/32064/4' of ssh://gerrit.tuleap.net:29418/tuleap into HEAD ff7da082c0
    User avatar Joris MASSON (jmasson) , 2024-10-03 11:42
    Referenced by request #39736

    Artifact Tracker v5

    rel #37898 16.0

    Other

    gerrit #32064
    Display settings

    Follow-ups

    User avatar
    Thomas Gerbet (tgerbet)2024-10-04 17:16

    CVE-2024-47766 has been assigned to this issue.

    • Original Submission
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes
    User avatar
    Thomas Gerbet (tgerbet)2024-10-04 10:52
    • Original Submission
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes
    User avatar
    Thomas Gerbet (tgerbet)2024-10-02 10:44
    • Summary
      -Project administrator can see fields of another project 
      +Permissions are incorrectly verified for project administrators in the cross tracker search widget 
    • Original Submission
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes
    • Category changed from Trackers to Cross tracker search
    • Reported in version set to All
    User avatar
    Kevin Traini (ktraini)2024-10-01 15:45
    • Original Submission
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes