request #28848 GitLab repository branch prefix can be updated by any user

Artifact

Infos

Artifact ID#28848

Submitted byYannis ROSSETTO (rossettoy)

Last Modified On2022-10-17 09:20

Submitted on2022-09-20 15:57

Rank30421

Details

Summary *

GitLab repository branch prefix can be updated by any user

Original Submission

Authorizations are not properly verified when updating the branch prefix used by the GitLab repository integration.

Impact

Authenticated users can change the branch prefix of any of the GitLab repository integration they can see vie the REST endpoint PATCH /gitlab_repositories/{id}. This action should be restricted to Git administrators.

CVSSv3.1 score: 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

References

CWE 285
CVE-2022-39233

CategorySCM/GitLab

Reported in versionAll

PlatformEmpty

Is an Enhancement or an internal improvement?

[ ] enhancement
[ ] internal improvement

CC listEmpty

Stage

Assigned toYannis ROSSETTO (rossettoy)

StatusClosed

Close date2022-09-21

Attachments

Connected artifacts

Artifact links

Releases

Fixed in

	Artifact ID	Project	Tracker	Summary	Status	Last Update Date	Submitted By	Assigned to
	rel #27177	Tuleap	Releases	14.1	Delivered	2022-10-13 15:53	Manuel Vacelet (vaceletm)

Reverse artifact links

Empty

AttachmentsEmpty

References

Cross references

Referencing request #28848

Git commit

tuleap/tuleap/stable

fix!: GitLab repository branch prefix can be updated by any user a06cb42d55

Yannis ROSSETTO (rossettoy) , 2022-09-20 16:46

Show items referenced by request #28848

Referenced by request #28848

Artifact Tracker v5

rel #27177 14.1

Git commit

tuleap/tuleap/stable

fix!: GitLab repository branch prefix can be updated by any user a06cb42d55

Yannis ROSSETTO (rossettoy) , 2022-09-20 16:46

Other

Follow-ups

Thomas Gerbet (tgerbet)

2022-10-17 09:20

Public disclosure.

Thomas Gerbet (tgerbet)

2022-09-22 14:54

CVE-2022-39233 has been assigned to this issue.

Original Submission

Something went wrong, the follow up content couldn't be loaded

Only formatting have been changed, you should switch to markup to see the changes

Thomas Gerbet (tgerbet)

2022-09-21 16:33

Original Submission

Something went wrong, the follow up content couldn't be loaded

Only formatting have been changed, you should switch to markup to see the changes

Marie Ange Garnier (marieange)

2022-09-21 10:04

gerrit #26757 integrated into Tuleap 14.0.99.24

Connected artifacts
- Added Fixed in: rel #27177

Tracker Workflow Manager (forge__tracker_workflow_manager)

2022-09-21 10:03

Closed by @rossettoy with git #tuleap/stable/a06cb42d55c840d61a484472ed6b169ab23853ac.

Status changed from Under review to Closed
Close date set to 2022-09-21

Yannis ROSSETTO (rossettoy)

2022-09-20 17:02

A patch has been submitted for review: gerrit #26757

Status changed from Verified to Under review

Yannis ROSSETTO (rossettoy)

2022-09-20 16:47

Summary
-~~Updating~~ GitLab repository branch prefix can updated by any user
+GitLab repository branch prefix can be updated by any user