Permissions at the artifact level such as tracker permissions or the ones set by the permissions on artifact field are not correctly enforced when sending notifications.
Users might get access to information in artifacts they cannot access.
CVSSv3.1 score: 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
Users receive notification about **ALL** tracker item while permissions are set to « have access to artifacts they submitted »
1. Create a project from template « Issue tracking »
2. In the « Issues » tracker, as administrator, set permissions to « none » everywhere except on « project members » where permission is set to « have access to artifacts they submitted »
3. as simple user (user1), on the tracker « Issues », change your « notifications » preferences to « Notify me on every change »
4. as an other simple user (user2), create a tracker item
- user1 is not able to read items created by user2
- but user1 receives notification about submission of user2
- user1 is not notified, as it has no permissions for that.