•  
      request #27538 Fine grained permissions are not checked when creating a branch with REST API
    Infos
    #27538
    Yannis ROSSETTO (rossettoy)
    2022-07-26 10:49
    2022-07-05 11:03
    29102
    Details
    Fine grained permissions are not checked when creating a branch with REST API

    Authorizations are not properly verified when creating branches with the REST API in Git repositories using the fine grained permissions.

    Impact

    Users can create branches via the REST endpoint POST git/:id/branches regardless of the permissions set on the repository.

    CVSSv3.1 score: 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

    References

    CWE 285
    CVE-2022-31128

    SCM/Git
    13.10
    Empty
    • [ ] enhancement
    • [ ] internal improvement
    Empty
    Stage
    Yannis ROSSETTO (rossettoy)
    Closed
    2022-07-06
    Attachments
    Empty
    References
    Referencing request #27538
    Referenced by request #27538

    Artifact Tracker v5

    rel #26753 13.11

    Follow-ups

    User avatar
    Thomas Gerbet (tgerbet)2022-07-07 14:34

    CVE-2022-31128 has been assigned to this issue.


    • Original Submission
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes
    User avatar
    Thomas Gerbet (tgerbet)2022-07-05 11:36
    • Original Submission
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes
    User avatar
    Thomas Gerbet (tgerbet)2022-07-05 11:30
    • Original Submission
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes
    User avatar
    Thomas Gerbet (tgerbet)2022-07-05 11:30
    • Original Submission
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes
    • Assigned to changed from None to Yannis ROSSETTO (rossettoy)