request #29223 Without authentication API exposing all user's(including admin) profile details without authentication

Infos

Artifact ID#29223

Submitted bySatyam Patel (satyam_patel)

Last Modified On2022-10-17 09:25

Submitted on2022-10-17 01:28

Rank30798

Details

Summary *

Without authentication API exposing all user's(including admin) profile details without authentication

Original Submission

URL: https://tuleap.net/api/users/101

Without authentication, attackers can access all users' information. And can brute force the to take over the admin account.

POC:

CategoryAuthentication & LDAP

Reported in versionAll

PlatformEmpty

Is an Enhancement or an internal improvement?

[ ] enhancement
[ ] internal improvement

CC listEmpty

Stage

Assigned toEmpty

StatusDeclined

Close date2022-10-17

Attachments

Connected artifacts

Artifact links

Empty

Reverse artifact links

Empty

Attachments

By Satyam Patel (satyam_patel)

(81 kB)

image.png

References

Cross references

Referencing request #29223

Artifact Tracker v5

request #29224 Site Administrator profile is not private

Follow-ups

Thomas Gerbet (tgerbet)

2022-10-17 09:25

Hello,

This is an expected behavior of the application.

Also, please do not search for security issues on a production instance you do not want. Our guidelines on how to report security issues are available here: https://www.tuleap.org/security

Status changed from New to Declined
CC list cleared values: Manuel Vacelet (Admin) (admin_manuel), Site Administrator (admin), Laurent Charles (Admin) (admin_laurent), Nicolas Terray (Admin) (admin_nicolas)
Close date set to 2022-10-17

Public

Artifact links

Reverse artifact links

Referencing request #29223

Artifact Tracker v5

Follow-ups