Skip to main content

Public

Project privacy set to public. By default, its content is available to everyone (authenticated or not). Please note that more restrictive permissions might exist on some items.

    •  
      request #14771 Default permissions on configuration path and files are too open
    Actions
    Infos
    #14771
    Manuel Vacelet (vaceletm)
    2020-05-13 08:52
    2020-04-09 14:56
    16042
    Details
    Default permissions on configuration path and files are too open

    On new RHEL7 install /etc/tuleap/conf/database.inc is readable by too much users.

    Tuleap sets too wide permissions on its configuration files making possible to get access to secrets.

    Impact

    An attacker with a shell account on the server can read /etc/tuleap/conf/database.inc and can read/write on the database. It must be noted the possibility for users to have a shell account is not enabled by default and requires specific configuration from the system administrators. Users must also have granted a shell access by a site administrator.
    CVSSv3.1 score: 6.6 (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H)

    References

    CWE-276

    Installation process
    All
    EL7 (CentOS|RHEL)
    • [ ] enhancement
    • [ ] internal improvement
    Empty
    Stage
    Manuel Vacelet (vaceletm)
    Closed
    2020-04-10
    Attachments
    Artifact links

    Releases

    Fixed in

    Artifact ID Project Tracker Summary Status Last Update Date Submitted By Assigned to
    rel #14681 Tuleap Releases 11.14 Delivered 2020-05-03 19:57 Manuel Vacelet (vaceletm)
    Empty
    References
    Referencing request #14771

    Artifact Tracker v5

    request #14786 Custom organization logos cannot be displayed anymore

    Git commit

    tuleap/tuleap/stable

    Merge 'gerrit #18650' into stable/master e1eb12b05c
    User avatar Thomas Gerbet (tgerbet) , 2020-04-10 11:05
    request #14771 Default permissions on configuration path and files are too open d5cbaaafaf
    User avatar Manuel Vacelet (vaceletm) , 2020-04-09 17:35
    Organization logos are data 6ecd01e114
    User avatar Manuel Vacelet (vaceletm) , 2020-04-15 18:01
    Referenced by request #14771

    Artifact Tracker v5

    rel #14681 11.14

    Other

    gerrit #18650
    Display settings

    Follow-ups

    User avatar
    Thomas Gerbet (tgerbet)2020-04-09 15:51
    • Original Submission
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes