Skip to main content

Public

Project privacy set to public. By default, its content is available to everyone (authenticated or not). Please note that more restrictive permissions might exist on some items.

    •  
      request #36803 Mass update clears the permissions on artifact field
    Actions
    Infos
    #36803
    Aurélien Tisné (atisne)
    2024-02-15 08:57
    2024-02-06 14:22
    38403
    Details
    Mass update clears the permissions on artifact field

    Updating an artifact via the mass update feature clears the content of the permissions on artifact field.

    Impact

    Users with a read access to a tracker where the mass update feature is used might get access to restricted information.
    CVSSv3.1 score: 5.4 (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N)

    Steps to reproduce

    1. Create a tracker using a field of type 'Permission on artifacts'
    2. Create some artifacts and set permission on these artifacts
    3. Update some artifacts, without modify permissions on them, using the feature 'Mass update' -> All modified artifacts lost their permissions

    See the changelog on the attachment.

    References

    CWE 200
    OWASP Top 10 Broken Access Control
    CVE-2024-25130

    Acknowledgement

    This security issue was reported by Aurélien TISNÉ from CS Group.

    Trackers
    All
    Empty
    • [ ] enhancement
    • [ ] internal improvement
    Empty
    Stage
    Thomas Gerbet (tgerbet)
    Closed
    2024-02-14
    Attachments
    Artifact links

    Releases

    Fixed in

    Artifact ID Project Tracker Summary Status Last Update Date Submitted By Assigned to
    rel #35498 Tuleap Releases 15.6 Delivered 2024-03-04 15:49 Manuel Vacelet (vaceletm)
    By Aurélien Tisné (atisne)
    (27 kB)
    mass-update-changelog.png
    Mass update changelog
    References
    Referencing request #36803

    Artifact Tracker v5

    request #36817 Inconsistency in JSON representation of perm

    Git commit

    tuleap/tuleap/stable

    fix: request #36803 Mass update clears permissions on artifact 57978a3250
    User avatar Thomas Gerbet (tgerbet) , 2024-02-14 11:58
    Merge commit 'refs/changes/40/30440/3' of ssh://gerrit.tuleap.net:29418/tuleap into HEAD 2b83d93b3a
    User avatar Joris MASSON (jmasson) , 2024-02-14 13:50
    Display settings

    Follow-ups

    User avatar
    Thomas Gerbet (tgerbet)2024-02-15 08:57

    CVE-2024-25130 has been assigned to this issue.

    • Original Submission
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes
    User avatar
    Thomas Gerbet (tgerbet)2024-02-13 11:12

    Under review at gerrit #30440

    • Summary
      -Mass update clears permissions on artifact 
      +Mass update clears the permissions on artifact field 
    • Original Submission
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes
    • Status changed from Under implementation to Under review
    User avatar
    Thomas Gerbet (tgerbet)2024-02-13 08:01

    Can we credit you for the finding in the same way we did for art #33608?

    • Original Submission
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes
    User avatar
    Thomas Gerbet (tgerbet)2024-02-13 07:53

    Hello,

    Thanks for the report. I confirm the issue. Flagging this as a security issue as it can lead to an unwanted information disclosure.

    • Status changed from New to Under implementation
    • Assigned to changed from None to Thomas Gerbet (tgerbet)
    • Reported in version changed from development to All
    • Platform cleared values: EL9 (RockyLinux|AlmaLinux|RHEL)
    User avatar
    Guilhem Bonnefille (CS) (gbonnefille)2024-02-07 14:02

    The problem seems located to plugins/tracker/include/Tracker/FormElement/Tracker_FormElement_Field_PermissionsOnArtifact.php method fetchSubmitValueMasschange: this method returns the standard widget, without any unchanged specific value.