Skip to main content

Public

Project privacy set to public. By default, its content is available to everyone (authenticated or not). Please note that more restrictive permissions might exist on some items.

    •  
      request #33608 Preview of a linked artifact with a type does not respect permissions
    Actions
    Infos
    #33608
    Thomas Gerbet (tgerbet)
    2023-08-21 08:45
    2023-07-25 15:08
    35207
    Details
    Preview of a linked artifact with a type does not respect permissions

    The preview of an artifact link with a type does not respect the project, tracker and artifact level permissions. The issue occurs on the artifact view (not reproducible on the artifact modal).

    Impact

    Users might get access to information they should not have access to. Only the title, status, assigned to and last update date fields as defined by the semantics are impacted. If those fields have strict permissions (e.g. the title is only visible to a specific user group) those permissions are still enforced.
    CVSSv3.1 score: 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

    Exploitation

    1. Have an artifact in a private project
    2. With a user that is not a member of this private project edit another artifact elsewhere. Edit an artifact links field, select a type and try to preview this link with an artifact in the private project.

    References

    CWE 200
    OWASP Top 10 Broken Access Control
    CVE-2023-38508

    Acknowledgement

    This security issue was reported by Aurélien TISNÉ from CS Group.

    Trackers
    All
    Empty
    • [ ] enhancement
    • [ ] internal improvement
    Empty
    Stage
    Thomas Gerbet (tgerbet)
    Closed
    2023-07-26
    Attachments
    Artifact links

    Releases

    Fixed in

    Artifact ID Project Tracker Summary Status Last Update Date Submitted By Assigned to
    rel #32656 Tuleap Releases 14.12 Delivered 2023-08-23 09:27 Manuel Vacelet (vaceletm)
    Empty
    References
    Referencing request #33608

    Artifact Tracker v5

    request #36803 Mass update clears the permissions on artifact field

    Git commit

    tuleap/tuleap/stable

    Fixes request #33608: Preview of a linked artifact with a type does not respect permissions 307c1c8044
    User avatar Thomas Gerbet (tgerbet) , 2023-07-25 15:21
    Merge commit 'refs/changes/77/29077/1' of ssh://gerrit.tuleap.net:29418/tuleap into HEAD 7441d3422a
    User avatar Yannis ROSSETTO (rossettoy) , 2023-07-26 10:15
    Display settings

    Follow-ups

    User avatar
    Thomas Gerbet (tgerbet)2023-07-27 10:16

    CVE-2023-38508 has been assigned to this issue.

    • Original Submission
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes
    User avatar
    Thomas Gerbet (tgerbet)2023-07-25 15:32
    • Original Submission
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes
    User avatar
    Thomas Gerbet (tgerbet)2023-07-25 15:28

    A patch is under review: gerrit #29077.

    • Original Submission
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes