The preview of an artifact link with a type does not respect the project, tracker and artifact level permissions. The issue occurs on the artifact view (not reproducible on the artifact modal).
Users might get access to information they should not have access to. Only the title, status, assigned to and last update date fields as defined by the semantics are impacted. If those fields have strict permissions (e.g. the title is only visible to a specific user group) those permissions are still enforced.
CVSSv3.1 score: 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
- Have an artifact in a private project
- With a user that is not a member of this private project edit another artifact elsewhere. Edit an artifact links field, select a type and try to preview this link with an artifact in the private project.
OWASP Top 10 Broken Access Control
This security issue was reported by Aurélien TISNÉ from CS Group.