Authorizations are not properly verified when displaying backlog items.
Impact
Users might be able to see backlog items that they should not see.
CVSSv3.1 score: 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
Exploitation
The issue can be reproduced with the following scenario:
- Have a project with the backlog service enabled, a few items and at least 2 members
- Using the "Permissions on artifacts" field restrict a "To be planned" item so only one member can see it
- Go to the backlog service, both users still see the items
References
CWE 285
CVE-2024-37167