•  
      request #24202 SQL injection via the user settings of the CVS commits browser
    Infos
    #24202
    Thomas Gerbet (tgerbet)
    2021-12-15 08:42
    2021-12-07 16:01
    25648
    Details
    SQL injection via the user settings of the CVS commits browser

    Tuleap does not sanitize properly user settings when constructing the SQL query to browse and search commits in the CVS repositories.

    Impact

    A authenticated malicious user with read access to a CVS repository could execute arbitrary SQL queries.

    CVSSv3.1 score: 8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

    Exploitation

    1. Go to a project with a CVS service
    2. Set the user preferences commits_browcust<project_id> to something like |100|100|100||A
    3. Go to /cvs/?func=browse&group_id=<project_id>
    4. Take a look at the executed query/MySQL warnings

    References

    CWE 89
    OWASP SQL Injection
    CVE-2021-43806

    SCM/CVS
    All
    Empty
    • [ ] enhancement
    • [ ] internal improvement
    Empty
    Stage
    Thomas Gerbet (tgerbet)
    Closed
    2021-12-07
    Attachments
    Empty
    References

    Follow-ups

    User avatar
    Thomas Gerbet (tgerbet)2021-12-08 08:22

    CVE-2021-43806 has been assigned to this issue.


    • Original Submission
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes