request #24202 SQL injection via the user settings of the CVS commits browser

Artifact

Infos

Artifact ID#24202

Submitted byThomas Gerbet (tgerbet)

Last Modified On2021-12-15 08:42

Submitted on2021-12-07 16:01

Rank25740

Details

Summary *

SQL injection via the user settings of the CVS commits browser

Original Submission

Tuleap does not sanitize properly user settings when constructing the SQL query to browse and search commits in the CVS repositories.

Impact

A authenticated malicious user with read access to a CVS repository could execute arbitrary SQL queries.

CVSSv3.1 score: 8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Exploitation

Go to a project with a CVS service
Set the user preferences commits_browcust<project_id> to something like |100|100|100||A
Go to /cvs/?func=browse&group_id=<project_id>
Take a look at the executed query/MySQL warnings

References

CWE 89
OWASP SQL Injection
CVE-2021-43806

CategorySCM/CVS

Reported in versionAll

PlatformEmpty

Is an Enhancement or an internal improvement?

[ ] enhancement
[ ] internal improvement

CC listEmpty

Stage

Assigned toThomas Gerbet (tgerbet)

StatusClosed

Close date2021-12-07

Attachments

Connected artifacts

Artifact links

Releases

Fixed in

	Artifact ID	Project	Tracker	Summary	Status	Last Update Date	Submitted By	Assigned to
	rel #23428	Tuleap	Releases	13.3	Delivered	2021-08-12 17:17	Manuel Vacelet (vaceletm)

Reverse artifact links

Empty

AttachmentsEmpty

References

Cross references

Referencing request #24202

Git commit

tuleap/tuleap/stable

Merge commit 'refs/changes/12/24612/1' of ssh://gerrit.tuleap.net:29418/tuleap into HEAD 1f0a9e40ca

Nicolas Terray (nterray) , 2021-12-07 17:06

request #24202: SQL injection via the user settings of the CVS commits browser b82be896b0

Thomas Gerbet (tgerbet) , 2021-12-07 16:05

Fix Psalm baseline a9eb008cda

Thomas Gerbet (tgerbet) , 2021-12-07 17:18

Show items referenced by request #24202

Referenced by request #24202

Artifact Tracker v5

rel #23428 13.3

Other

gerrit #24612

gerrit #24616

Follow-ups

Thomas Gerbet (tgerbet)

2021-12-15 08:42

Public disclosure.

Thomas Gerbet (tgerbet)

2021-12-08 08:22

CVE-2021-43806 has been assigned to this issue.

Original Submission

Something went wrong, the follow up content couldn't be loaded

Only formatting have been changed, you should switch to markup to see the changes

Nicolas Terray (nterray)

2021-12-07 19:21

gerrit #24616 integrated into Tuleap 13.2.99.156

Nicolas Terray (nterray)

2021-12-07 17:07

gerrit #24612 integrated into Tuleap 13.2.99.155

Status changed from Under review to Closed
Connected artifacts
- Added Fixed in: rel #23428
Close date set to 2021-12-07

Thomas Gerbet (tgerbet)

2021-12-07 16:06

Patch under review: gerrit #24612.

Status changed from Under implementation to Under review