•  
      request #16657 Artifact level permissions are not verified when sending notifications
    Infos
    #16657
    Guilhem Bonnefille (CS) (gbonnefille)
    2020-09-22 11:56
    2020-09-07 16:35
    17367
    Details
    Artifact level permissions are not verified when sending notifications

    Permissions at the artifact level such as tracker permissions or the ones set by the permissions on artifact field are not correctly enforced when sending notifications.

    Impact

    Users might get access to information in artifacts they cannot access.
    CVSSv3.1 score: 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

    Exploitation/Reproduction

    Users receive notification about **ALL** tracker item while permissions are set to « have access to artifacts they submitted »

    To reproduce:
    1. Create a project from template « Issue tracking »
    2. In the « Issues » tracker, as administrator, set permissions to « none » everywhere except on « project members » where permission is set to « have access to artifacts they submitted »
    3. as simple user (user1), on the tracker « Issues », change your « notifications » preferences to « Notify me on every change »
    4. as an other simple user (user2), create a tracker item

    Observed:
    - user1 is not able to read items created by user2
    - but user1 receives notification about submission of user2

    Expected :
    - user1 is not notified, as it has no permissions for that.

    References

    CWE 280

    Empty
    Trackers
    All
    Empty
    Empty
    Stage
    Thomas Gerbet (tgerbet)
    Closed
    2020-09-22
    Attachments
    References

    List of items referenced by or referencing this item.

    Artifact Tracker v5

    Follow-ups