•  
      request #36803 Mass update clears the permissions on artifact field
    Infos
    #36803
    Aurélien Tisné (atisne)
    2024-02-15 08:57
    2024-02-06 14:22
    38389
    Details
    Mass update clears the permissions on artifact field

    Updating an artifact via the mass update feature clears the content of the permissions on artifact field.

    Impact

    Users with a read access to a tracker where the mass update feature is used might get access to restricted information.
    CVSSv3.1 score: 5.4 (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N)

    Steps to reproduce

    1. Create a tracker using a field of type 'Permission on artifacts'
    2. Create some artifacts and set permission on these artifacts
    3. Update some artifacts, without modify permissions on them, using the feature 'Mass update' -> All modified artifacts lost their permissions

    See the changelog on the attachment.

    References

    CWE 200
    OWASP Top 10 Broken Access Control
    CVE-2024-25130

    Acknowledgement

    This security issue was reported by Aurélien TISNÉ from CS Group.

    Trackers
    All
    Empty
    • [ ] enhancement
    • [ ] internal improvement
    Empty
    Stage
    Thomas Gerbet (tgerbet)
    Closed
    2024-02-14
    Attachments
    References

    Follow-ups

    User avatar
    Thomas Gerbet (tgerbet)2024-02-15 08:57

    CVE-2024-25130 has been assigned to this issue.


    • Original Submission
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes
    User avatar
    Thomas Gerbet (tgerbet)2024-02-13 11:12

    Under review at gerrit #30440


    • Summary
      -Mass update clears permissions on artifact 
      +Mass update clears the permissions on artifact field 
    • Original Submission
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes
    • Status changed from Under implementation to Under review
    User avatar
    Thomas Gerbet (tgerbet)2024-02-13 08:01

    Can we credit you for the finding in the same way we did for art #33608?


    • Original Submission
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes
    User avatar
    Thomas Gerbet (tgerbet)2024-02-13 07:53

    Hello,

    Thanks for the report. I confirm the issue. Flagging this as a security issue as it can lead to an unwanted information disclosure.


    • Status changed from New to Under implementation
    • Assigned to changed from None to Thomas Gerbet (tgerbet)
    • Reported in version changed from development to All
    • Platform cleared values: EL9 (RockyLinux|AlmaLinux|RHEL)
    User avatar

    The problem seems located to plugins/tracker/include/Tracker/FormElement/Tracker_FormElement_Field_PermissionsOnArtifact.php method fetchSubmitValueMasschange: this method returns the standard widget, without any unchanged specific value.