•  
      request #39686 Permissions are not properly checked for email notifications in trackers
    Infos
    #39686
    Manuel Vacelet (vaceletm)
    2024-10-14 09:37
    2024-09-16 15:10
    41321
    Details
    Permissions are not properly checked for email notifications in trackers

    Permissions at the artifact level are not correctly verified when an artifact update is submitted with a follow-up comment.

    Impact

    Users might receive email notification with information they should not have access to.

    CVSSv3.1 score: 4.8 (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N)

    Exploitation

    Given a project with following configuration

    • Bug_Reporters group with user_1, user_2
    • Bug_Managers group with user_3

    Given a tracker with following tracker permissions

    • all_users, registered_users, project_members => no permissions
    • Bug_Managers => are admin of tracker
    • Bug_Reporters => can access artifacts they submit

    Given user_2 goes in "my notifications" and check "Notify on all updates"

    When user_1 submit or update an artifact with a comment

    Then user_2 receive a full snapshot of the artifact.

    References

    CWE-280
    CVE-2024-46988

    Trackers
    All
    Empty
    • [ ] enhancement
    • [ ] internal improvement
    Empty
    Stage
    Thomas Gerbet (tgerbet)
    Closed
    2024-09-18
    Attachments
    Empty
    References

    Follow-ups

    User avatar
    Thomas Gerbet (tgerbet)2024-09-19 10:05

    CVE-2024-46988 has been assigned to this issue.


    • Original Submission
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes
    User avatar
    Thomas Gerbet (tgerbet)2024-09-17 10:49
    • Original Submission
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes
    User avatar
    Thomas Gerbet (tgerbet)2024-09-16 16:15
    • Status changed from Verified to Under implementation
    • Reported in version set to All
    User avatar
    Thomas Gerbet (tgerbet)2024-09-16 15:13
    • Status changed from New to Verified
    • Assigned to changed from None to Thomas Gerbet (tgerbet)