Skip to main content

Public

Project privacy set to public. By default, its content is available to everyone (authenticated or not). Please note that more restrictive permissions might exist on some items.

    •  
      request #26729 Tracker report renderer and chart widgets leak information user cannot access
    Actions
    Infos
    #26729
    Lorentz Romain (lorentzr)
    2022-06-06 14:23
    2022-04-27 13:18
    28253
    Details
    Tracker report renderer and chart widgets leak information user cannot access

    Authorizations are not properly verified when displaying the content of tracker report renderer and chart widgets.

    Impact

    Malicious users could use this vulnerability to retrieve the name of tracker they cannot access as well as the name of the fields used in reports.

    CVSSv3.1 score: 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

    Exploitation

    In a personal dashboard add a tracker report renderer widget using the ID of a renderer located in a tracker you cannot access.

    References

    CWE 285
    CVE-2022-24896

    Trackers
    All
    Empty
    • [ ] enhancement
    • [ ] internal improvement
    Empty
    Stage
    Lorentz Romain (lorentzr)
    Closed
    2022-04-28
    Attachments
    Artifact links

    Releases

    Fixed in

    Artifact ID Project Tracker Summary Status Last Update Date Submitted By Assigned to
    rel #25363 Tuleap Releases 13.8 Delivered 2022-02-05 09:52 Manuel Vacelet (vaceletm)
    Empty
    References
    Referencing request #26729

    Git commit

    tuleap/tuleap/stable

    Merge 'gerrit #25801' into stable/master acf1432199
    User avatar Thomas Gerbet (tgerbet) , 2022-04-28 09:19
    request #26729 Tracker report renderer and chart widgets leak information user cannot access 8e99e7c82d
    User avatar Lorentz Romain (lorentzr) , 2022-04-27 17:27
    Referenced by request #26729

    Artifact Tracker v5

    rel #25363 13.8

    Other

    gerrit #25801
    Display settings

    Follow-ups

    User avatar
    Thomas Gerbet (tgerbet)2022-04-29 08:56

    CVE-2022-24896 has been assigned to this issue.

    • Original Submission
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes
    User avatar
    Thomas Gerbet (tgerbet)2022-04-27 14:14
    • Summary
      -Wiget based on tracker report should not diplay data when user can't access the tracker. 
      +Tracker report renderer and chart widgets leak information user cannot access 
    • Original Submission
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes
    • Category set to Trackers
    • Reported in version set to All