•  
      request #16214 SQL injection in CVS revisions browser
    Infos
    #16214
    Thomas Gerbet (tgerbet)
    2021-10-19 12:06
    2020-08-12 12:41
    17355
    Details
    SQL injection in CVS revisions browser

    Tuleap does not sanitize properly user inputs when constructing the SQL query to browse and search revisions in the CVS repositories.

    Impact

    An attacker with read access to a CVS repository could execute arbitrary SQL queries.
    CVSSv3.1 score: 8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

    Exploitation

    Issue can be demonstrated in a repo with multiple revisions by adding the morder GET parameter to the request and setting it to something revision LIMIT 1--. Only one revision will be displayed instead of the complete list.

    References

    CWE-89
    OWASP SQL Injection

    CVE-2021-41155

    SCM/CVS
    All
    Empty
    • [ ] enhancement
    • [ ] internal improvement
    Empty
    Stage
    Thomas Gerbet (tgerbet)
    Closed
    2020-08-12
    Attachments
    Empty
    References

    Follow-ups

    • User avatar
      Thomas Gerbet (tgerbet)2021-10-19 12:06

      CVE-2021-41155 has been assigned to this issue.


      • Original Submission
        Something went wrong, the follow up content couldn't be loaded
        Only formatting have been changed, you should switch to markup to see the changes
    • User avatar
      Thomas Gerbet (tgerbet)2021-10-18 11:13

      Public disclosure.

    • User avatar
      Joris MASSON (jmasson)2020-08-12 15:34
      gerrit #19816 integrated into Tuleap 11.17.99.146

      • Status changed from Under review to Closed
      • Connected artifacts
      • Close date set to 2020-08-12
    • User avatar
      Thomas Gerbet (tgerbet)2020-08-12 13:04
      Patch under review: gerrit #19815.

      • Status changed from Under implementation to Under review