Skip to main content

Public

Project privacy set to public. By default, its content is available to everyone (authenticated or not). Please note that more restrictive permissions might exist on some items.

    •  
      request #16657 Artifact level permissions are not verified when sending notifications
    Actions
    Infos
    #16657
    Guilhem Bonnefille (CS) (gbonnefille)
    2020-09-22 11:56
    2020-09-07 16:35
    17949
    Details
    Artifact level permissions are not verified when sending notifications

    Permissions at the artifact level such as tracker permissions or the ones set by the permissions on artifact field are not correctly enforced when sending notifications.

    Impact

    Users might get access to information in artifacts they cannot access.
    CVSSv3.1 score: 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

    Exploitation/Reproduction

    Users receive notification about **ALL** tracker item while permissions are set to « have access to artifacts they submitted »

    To reproduce:
    1. Create a project from template « Issue tracking »
    2. In the « Issues » tracker, as administrator, set permissions to « none » everywhere except on « project members » where permission is set to « have access to artifacts they submitted »
    3. as simple user (user1), on the tracker « Issues », change your « notifications » preferences to « Notify me on every change »
    4. as an other simple user (user2), create a tracker item

    Observed:
    - user1 is not able to read items created by user2
    - but user1 receives notification about submission of user2

    Expected :
    - user1 is not notified, as it has no permissions for that.

    References

    CWE 280

    Trackers
    All
    Empty
    • [ ] enhancement
    • [ ] internal improvement
    Empty
    Stage
    Thomas Gerbet (tgerbet)
    Closed
    2020-09-22
    Attachments
    Artifact links

    Releases

    Fixed in

    Artifact ID Project Tracker Summary Status Last Update Date Submitted By Assigned to
    rel #16163 Tuleap Releases 12.1 Delivered 2020-14-10 16:30 Manuel Vacelet (vaceletm)
    By Guilhem Bonnefille (CS) (gbonnefille)
    (38 kB)
    Capture d’écran de 2020-09-07 16-34-30.png
    User's notification preferences
    By Guilhem Bonnefille (CS) (gbonnefille)
    (46 kB)
    Capture d’écran de 2020-09-07 16-34-40.png
    Tracker permissions
    References
    Referencing request #16657

    Git commit

    tuleap/tuleap/stable

    Merge commit 'refs/changes/49/20249/1' of ssh://gerrit.tuleap.net:29418/tuleap into HEAD b3599994f8
    User avatar Yannis ROSSETTO (rossettoy) , 2020-09-22 11:55
    request #16657: Artifact level permissions are not verified when sending notifications f8e11fcca2
    User avatar Thomas Gerbet (tgerbet) , 2020-09-22 10:43
    Referenced by request #16657

    Artifact Tracker v5

    rel #16163 12.1

    Other

    gerrit #20249
    Display settings

    Follow-ups

    User avatar
    Thomas Gerbet (tgerbet)2020-09-22 11:50
    • Summary
      -Permissions ignored by notifications 
      +Artifact level permissions are not verified when sending notifications 
    User avatar
    Thomas Gerbet (tgerbet)2020-09-22 11:47
    Updating original submission to match Tuleap standard advisory format.
    • Original Submission
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes
    • Assigned to changed from None to Thomas Gerbet (tgerbet)
    • Reported in version set to All
    • Platform cleared values: CentOS 6
    User avatar
    Thomas Gerbet (tgerbet)2020-09-22 10:48
    Fix under review: gerrit #20249.
    • Status changed from Under implementation to Under review
    • Assigned to changed from Thomas Gerbet (tgerbet) to None
    • Reported in version cleared values: All
    • Platform set to CentOS 6
    User avatar
    Thomas Gerbet (tgerbet)2020-09-22 09:45
    I confirm the issue, flagging as a security issue. Fix is on the way.

    If you ever encounter again an issue with a security related feature please reach out to us via security@tuleap.org so that the issue can be properly triaged 🙂
    https://www.tuleap.org/security/
    https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=blob&hb=a5f9b0b147a4195241468c0ecf5c84079b9b9e70&h=4b02b09696881ecfc9e186c9c8fee107a1669c4c&f=SECURITY.md
    • Status changed from New to Under implementation
    • Assigned to changed from None to Thomas Gerbet (tgerbet)
    • Reported in version changed from 11.16 to All
    • Platform cleared values: CentOS 6