•  
      request #26816 Resources of private projects can be accessed by non project members
    Infos
    #26816
    Thomas Gerbet (tgerbet)
    2022-06-29 10:50
    2022-05-20 11:12
    28333
    Details
    Resources of private projects can be accessed by non project members

    Authorizations are not properly verified when creating projects or trackers from projects marked as templates.

    Impact

    Users can get access to information in those template projects because the permissions model is not properly enforced.

    CVSSv3.1 score: 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

    Exploitation

    • As a non member of a private template project create a new project from it
    • As a user that cannot see a tracker in a template project, create a new tracker from it

    References

    CWE 285
    CVE-2022-31032

    Other
    All
    Empty
    • [ ] enhancement
    • [ ] internal improvement
    Empty
    Stage
    Lorentz Romain (lorentzr)
    Closed
    2022-06-21
    Attachments
    Empty
    References

    Follow-ups

    User avatar
    Thomas Gerbet (tgerbet)2022-06-21 10:18

    CVE-2022-31032 has been assigned to this issue.


    • Original Submission
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes
    • Status changed from Under implementation to Closed
    • Connected artifacts
    • Close date set to 2022-06-21
    User avatar
    • Status changed from Verified to Under implementation
    • Assigned to changed from None to Lorentz Romain (lorentzr)