Tuleap 16 est là ! Assistez à l'événement virtuel le 17 octobre à 10h30. Inscrivez-vous ici !

    •  
      request #16657 Artifact level permissions are not verified when sending notifications
    Infos
    #16657
    Guilhem Bonnefille (CS) (gbonnefille)
    2020-09-22 11:56
    2020-09-07 16:35
    17954
    Details
    Artifact level permissions are not verified when sending notifications

    Permissions at the artifact level such as tracker permissions or the ones set by the permissions on artifact field are not correctly enforced when sending notifications.

    Impact

    Users might get access to information in artifacts they cannot access.
    CVSSv3.1 score: 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

    Exploitation/Reproduction

    Users receive notification about **ALL** tracker item while permissions are set to « have access to artifacts they submitted »

    To reproduce:
    1. Create a project from template « Issue tracking »
    2. In the « Issues » tracker, as administrator, set permissions to « none » everywhere except on « project members » where permission is set to « have access to artifacts they submitted »
    3. as simple user (user1), on the tracker « Issues », change your « notifications » preferences to « Notify me on every change »
    4. as an other simple user (user2), create a tracker item

    Observed:
    - user1 is not able to read items created by user2
    - but user1 receives notification about submission of user2

    Expected :
    - user1 is not notified, as it has no permissions for that.

    References

    CWE 280

    Trackers
    All
    Empty
    • [ ] enhancement
    • [ ] internal improvement
    Empty
    Stage
    Thomas Gerbet (tgerbet)
    Closed
    2020-09-22
    Attachments
    References

    Follow-ups

    User avatar
    Thomas Gerbet (tgerbet)2020-09-22 11:50
    • Summary
      -Permissions ignored by notifications 
      +Artifact level permissions are not verified when sending notifications 
    User avatar
    Thomas Gerbet (tgerbet)2020-09-22 11:47
    Updating original submission to match Tuleap standard advisory format.

    • Original Submission
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes
    • Assigned to changed from None to Thomas Gerbet (tgerbet)
    • Reported in version set to All
    • Platform cleared values: CentOS 6
    User avatar
    Thomas Gerbet (tgerbet)2020-09-22 10:48
    Fix under review: gerrit #20249.

    • Status changed from Under implementation to Under review
    • Assigned to changed from Thomas Gerbet (tgerbet) to None
    • Reported in version cleared values: All
    • Platform set to CentOS 6
    User avatar
    Thomas Gerbet (tgerbet)2020-09-22 09:45
    I confirm the issue, flagging as a security issue. Fix is on the way.

    If you ever encounter again an issue with a security related feature please reach out to us via security@tuleap.org so that the issue can be properly triaged 🙂
    https://www.tuleap.org/security/
    https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=blob&hb=a5f9b0b147a4195241468c0ecf5c84079b9b9e70&h=4b02b09696881ecfc9e186c9c8fee107a1669c4c&f=SECURITY.md

    • Status changed from New to Under implementation
    • Assigned to changed from None to Thomas Gerbet (tgerbet)
    • Reported in version changed from 11.16 to All
    • Platform cleared values: CentOS 6