request #10839 SQL injection in tracker report search when a criteria is a cross references or a permissions on artifact field

Artifact

Infos

Artifact ID#10839

Submitted byThomas Gerbet (tgerbet)

Last Modified On2017-12-11 13:11

Submitted on2017-11-21 11:22

Rank11068

Details

Summary *

SQL injection in tracker report search when a criteria is a cross references or a permissions on artifact field

Original Submission

Tuleap does not sanitize properly user inputs when constructing SQL queries for a tracker report when a criteria is a cross reference or a permissions on artifact field.

Impact

An attacker with access to a tracker report with a cross references criteria could execute arbitrary SQL queries.
CVSSv3 score: 8.8 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Exploitation

Put the character ' into the cross reference criteria of a tracker report, you will get a DB error caused by the resulting broken query.

References

CWE-89
https://www.owasp.org/index.php/SQL_Injection

CategoryTrackers

Reported in versionAll

PlatformEmpty

Is an Enhancement or an internal improvement?

[ ] enhancement
[ ] internal improvement

CC listEmpty

Stage

Assigned toEmpty

StatusClosed

Close date2017-11-21

Attachments

Connected artifacts

Artifact links

Releases

Fixed in

	Artifact ID	Project	Tracker	Summary	Status	Last Update Date	Submitted By	Assigned to
	rel #10588	Tuleap	Releases	9.15	Delivered	2017-12-07 17:01	Manuel Vacelet (vaceletm)

Reverse artifact links

Empty

AttachmentsEmpty

References

Cross references

Referencing request #10839

Git commit

tuleap/tuleap/stable

Merge commit 'refs/changes/68/9968/2' of ssh://gerrit.tuleap.net:29418/tuleap into HEAD c9c2610f7f

Joris MASSON (jmasson) , 2017-11-21 15:07

request #10839: SQL injection in tracker report search when a criteria is a cross references or a permissions on artifact field 3076778566

Thomas Gerbet (tgerbet) , 2017-11-21 12:47

Show items referenced by request #10839

Referenced by request #10839

Artifact Tracker v5

rel #10588 9.15

Other

gerrit #9968

Follow-ups

Joris MASSON (jmasson)

2017-11-21 15:21

gerrit #9968 integrated into Tuleap 9.14.99.68

Status changed from Under review to Closed
Connected artifacts
- Added Fixed in: rel #10588
Close date set to 2017-11-21

Thomas Gerbet (tgerbet)

2017-11-21 12:06

A patch is under review: gerrit #9968.

Status changed from Under implementation to Under review

Thomas Gerbet (tgerbet)

2017-11-21 11:59

Issue is also present with the "Permissions on artifact" field.

Summary
-SQL injection in tracker report search when a criteria is a cross references field
+SQL injection in tracker report search when a criteria is a cross references or a permissions on artifact field
Original Submission

Something went wrong, the follow up content couldn't be loaded

Only formatting have been changed, you should switch to markup to see the changes

Public

Impact

Exploitation

References

Artifact links

Releases

Fixed in

Reverse artifact links

Referencing request #10839

Git commit

tuleap/tuleap/stable

Referenced by request #10839

Artifact Tracker v5

Other

Follow-ups