•  
      request #10521 Improper handling of group related permissions in tracker report
    Infos
    #10521
    Nicolas Terray (nterray)
    2018-02-07 17:35
    2017-08-03 13:24
    10520
    Details
    Improper handling of group related permissions in tracker report

    User's permissions are not properly verified when listing artifacts in a report.

    Impact

    A user can use this to access information he not have access to.
    CVSSv3 score: 4.3 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

    Exploitation

    • Create user group in a project: A, B, and C
    • In A, add User1
    • In B, add User2
    • In C, add User1 and User2
    • In a tracker permissions:
      • A:  access to all artifacts submitted by group
      • B:  access to all artifacts submitted by group
      • C: no access
    • User1 submit and artifact

    => User2 should not see the artifact in the tracker report

    See https://tuleap.net/plugins/forumml/message.php?group_id=101&topic=39577&list=1

    References

    CWE-280

    Trackers
    All
    Empty
    • [ ] enhancement
    • [ ] internal improvement
    Empty
    Stage
    Empty
    Closed
    2018-02-07
    Attachments
    Empty
    References

    Follow-ups

    • User avatar
      Joris MASSON (jmasson)2018-02-07 17:26
      gerrit #10489 integrated in Tuleap 9.17.99.49

      • Status changed from Under review to Closed
      • Connected artifacts
      • Close date set to 2018-02-07
    • User avatar
      Thomas Gerbet (tgerbet)2018-02-05 16:22
      A fix is under review: gerrit #10489.

      • Status changed from New to Under review
    • User avatar
      • Original Submission
        Something went wrong, the follow up content couldn't be loaded
        Only formatting have been changed, you should switch to markup to see the changes