Your platform will be unavailable on the 13th of November 2024 from 9am to 12pm (Paris time) for maintenance operations

    •  
      request #38297 Permissions of the backlog items are not verified
    Infos
    #38297
    Thomas Gerbet (tgerbet)
    2024-06-24 09:34
    2024-06-07 11:29
    39918
    Details
    Permissions of the backlog items are not verified

    Authorizations are not properly verified when displaying backlog items.

    Impact

    Users might be able to see backlog items that they should not see.

    CVSSv3.1 score: 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

    Exploitation

    The issue can be reproduced with the following scenario:

    1. Have a project with the backlog service enabled, a few items and at least 2 members
    2. Using the "Permissions on artifacts" field restrict a "To be planned" item so only one member can see it
    3. Go to the backlog service, both users still see the items

    References

    CWE 285
    CVE-2024-37167

    Backlog
    All
    Empty
    • [ ] enhancement
    • [ ] internal improvement
    Empty
    Stage
    Thomas Gerbet (tgerbet)
    Closed
    2024-06-11
    Attachments
    Empty
    References

    Follow-ups

    User avatar
    Thomas Gerbet (tgerbet)2024-06-11 09:50
    • Original Submission
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes
    • Status changed from Under review to Closed
    • Close date set to 2024-06-11