request #15028 The update of the CI job targeted by a widget is vulnerable to blind SQL injections

Artifact

Infos

Artifact ID#15028

Submitted byThomas Gerbet (tgerbet)

Last Modified On2021-10-18 11:01

Submitted on2020-06-26 15:10

Rank16283

Details

Summary *

The update of the CI job targeted by a widget is vulnerable to blind SQL injections

Original Submission

Tuleap does not sanitize properly user inputs when constructing the SQL query to update the continuous integration job targeted by one of the widgets.

Impact

An attacker with the ability to add one the CI widget to its personal dashboard could execute arbitrary SQL queries.
CVSSv3.1 score: 8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Exploitation

Issue can be demonstrated by adding one the CI widget to a personal dashboard, edit it, set the value to submit to something like (SELECT BENCHMARK(50000000,ENCODE('MSG','Slow'))) and submit. You will notice a unexpected slowness.

References

CWE-89
https://www.owasp.org/index.php/SQL_Injection

CVE-2021-41148

CategoryContinuous Integration

Reported in versionAll

PlatformEmpty

Is an Enhancement or an internal improvement?

[ ] enhancement
[ ] internal improvement

CC listEmpty

Stage

Assigned toThomas Gerbet (tgerbet)

StatusClosed

Close date2020-06-26

Attachments

Connected artifacts

Artifact links

Releases

Fixed in

	Artifact ID	Project	Tracker	Summary	Status	Last Update Date	Submitted By	Assigned to
	rel #14817	Tuleap	Releases	11.17	Delivered	2020-07-23 10:57	Manuel Vacelet (vaceletm)

Reverse artifact links

Empty

AttachmentsEmpty

References

Cross references

Referencing request #15028

Git commit

tuleap/tuleap/stable

Merge commit 'refs/changes/67/19367/2' of ssh://gerrit.tuleap.net:29418/tuleap into HEAD e46722bbb2

Nicolas Terray (nterray) , 2020-06-26 19:02

request #15028: The update of the CI job targeted by a widget is vulnerable to blind SQL injections 91535add59

Thomas Gerbet (tgerbet) , 2020-06-26 15:53

Show items referenced by request #15028

Referenced by request #15028

Artifact Tracker v5

rel #14817 11.17

Other

gerrit #19367

Follow-ups

Thomas Gerbet (tgerbet)

2021-10-18 11:01

CVE-2021-41148 has been assigned to this issue.

Original Submission

Something went wrong, the follow up content couldn't be loaded

Only formatting have been changed, you should switch to markup to see the changes

Thomas Gerbet (tgerbet)

2021-10-15 13:11

Public disclosure.

Nicolas Terray (nterray)

2020-06-26 19:03

gerrit #19367 integrated into Tuleap 11.16.99.23

Status changed from Under review to Closed
Connected artifacts
- Added Fixed in: rel #14817
Close date set to 2020-06-26

Thomas Gerbet (tgerbet)

2020-06-26 15:30

Patch under review: gerrit #19367.

Summary
-~~Updating~~ the CI job targeted by a widget is vulnerable to blind SQL injections
+The update of the CI job targeted by a widget is vulnerable to blind SQL injections
Status changed from Under implementation to Under review