Skip to main content

Public

Project privacy set to public. By default, its content is available to everyone (authenticated or not). Please note that more restrictive permissions might exist on some items.

    •  
      request #35862 Content of artifacts might be readable by unauthorized users
    Actions
    Infos
    #35862
    Nicolas Terray (nterray)
    2024-02-06 14:30
    2024-01-19 17:20
    37464
    Details
    Content of artifacts might be readable by unauthorized users

    Impact

    Some users might get access to restricted information when a process validates the permissions of multiple users (e.g. mail notifications).
    CVSSv3.1 score: 5.3 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N)

    References

    Introduced in Tuleap 15.2.99.49 (git #tuleap/stable/795b1bf0cf53b8ef0c73aaa43e38cf4146af2737)
    CWE 200
    OWASP Top 10 Broken Access Control
    CVE-2024-23344

    Trackers
    15.3
    Empty
    • [ ] enhancement
    • [ ] internal improvement
    Empty
    Stage
    Nicolas Terray (nterray)
    Closed
    2024-01-22
    Attachments
    Artifact links

    Releases

    Fixed in

    Artifact ID Project Tracker Summary Status Last Update Date Submitted By Assigned to
    rel #35497 Tuleap Releases 15.5 Delivered 2024-02-05 12:01 Manuel Vacelet (vaceletm)
    Empty
    References
    Referencing request #35862

    Git commit

    tuleap/tuleap/stable

    fix: CCE user cannot update artifact sometimes 0329e21d26
    User avatar Nicolas Terray (nterray) , 2024-01-19 18:50
    refactor: Drop Artifact::setUserCanView 5b9ab976cc
    User avatar Thomas Gerbet (tgerbet) , 2024-01-23 08:29
    chore: Remove ArtifactUserCanViewStub usages 4ff97d8b4e
    User avatar Nicolas Terray (nterray) , 2024-01-24 10:28
    Display settings

    Follow-ups

    User avatar
    Thomas Gerbet (tgerbet)2024-01-23 09:19

    CVE-2024-23344 has been assigned to this issue.

    • Original Submission
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes
    • Connected artifacts
    User avatar
    Thomas Gerbet (tgerbet)2024-01-22 15:39
    • Summary
      -Artifact userCanView not properly cached 
      +Content of artifacts might be readable by unauthorized users 
    • Original Submission
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes