•  
      request #10521 Improper handling of group related permissions in tracker report
    Infos
    #10521
    Nicolas Terray (nterray)
    2018-02-07 17:35
    2017-08-03 13:24
    10766
    Details
    Improper handling of group related permissions in tracker report

    User's permissions are not properly verified when listing artifacts in a report.

    Impact

    A user can use this to access information he not have access to.
    CVSSv3 score: 4.3 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

    Exploitation

    • Create user group in a project: A, B, and C
    • In A, add User1
    • In B, add User2
    • In C, add User1 and User2
    • In a tracker permissions:
      • A:  access to all artifacts submitted by group
      • B:  access to all artifacts submitted by group
      • C: no access
    • User1 submit and artifact

    => User2 should not see the artifact in the tracker report

    See https://tuleap.net/plugins/forumml/message.php?group_id=101&topic=39577&list=1

    References

    CWE-280

    Trackers
    All
    Empty
    • [ ] enhancement
    • [ ] internal improvement
    Empty
    Stage
    Empty
    Closed
    2018-02-07
    Attachments
    Empty
    References

    Follow-ups

    User avatar
    • Original Submission
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes