Skip to main content

Public

Project privacy set to public. By default, its content is available to everyone (authenticated or not). Please note that more restrictive permissions might exist on some items.

    •  
      request #27538 Fine grained permissions are not checked when creating a branch with REST API
    Actions
    Infos
    #27538
    Yannis ROSSETTO (rossettoy)
    2022-07-26 10:49
    2022-07-05 11:03
    29102
    Details
    Fine grained permissions are not checked when creating a branch with REST API

    Authorizations are not properly verified when creating branches with the REST API in Git repositories using the fine grained permissions.

    Impact

    Users can create branches via the REST endpoint POST git/:id/branches regardless of the permissions set on the repository.

    CVSSv3.1 score: 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

    References

    CWE 285
    CVE-2022-31128

    SCM/Git
    13.10
    Empty
    • [ ] enhancement
    • [ ] internal improvement
    Empty
    Stage
    Yannis ROSSETTO (rossettoy)
    Closed
    2022-07-06
    Attachments
    Artifact links

    Releases

    Fixed in

    Artifact ID Project Tracker Summary Status Last Update Date Submitted By Assigned to
    rel #26753 Tuleap Releases 13.11 Delivered 2022-09-05 15:28 Manuel Vacelet (vaceletm)
    Empty
    References
    Referencing request #27538

    Git commit

    tuleap/tuleap/stable

    fix: Fine grained permissions must be well handled in POST git/:id/branches 58ecb1dee1
    User avatar Yannis ROSSETTO (rossettoy) , 2022-07-05 17:49
    Referenced by request #27538

    Artifact Tracker v5

    rel #26753 13.11

    Other

    gerrit #26298
    Display settings

    Follow-ups

    User avatar
    Thomas Gerbet (tgerbet)2022-07-07 14:34

    CVE-2022-31128 has been assigned to this issue.

    • Original Submission
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes
    User avatar
    Thomas Gerbet (tgerbet)2022-07-05 11:36
    • Original Submission
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes
    User avatar
    Thomas Gerbet (tgerbet)2022-07-05 11:30
    • Original Submission
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes
    User avatar
    Thomas Gerbet (tgerbet)2022-07-05 11:30
    • Original Submission
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes
    • Assigned to changed from None to Yannis ROSSETTO (rossettoy)