request #39686 Permissions are not properly checked for email notifications in trackers

Infos

Artifact ID#39686

Submitted byManuel Vacelet (vaceletm)

Last Modified On2024-10-14 09:37

Submitted on2024-09-16 15:10

Rank41390

Details

Summary *

Permissions are not properly checked for email notifications in trackers

Original Submission

Permissions at the artifact level are not correctly verified when an artifact update is submitted with a follow-up comment.

Impact

Users might receive email notification with information they should not have access to.

CVSSv3.1 score: 4.8 (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N)

Exploitation

Given a project with following configuration

Bug_Reporters group with user_1, user_2
Bug_Managers group with user_3

Given a tracker with following tracker permissions

all_users, registered_users, project_members => no permissions
Bug_Managers => are admin of tracker
Bug_Reporters => can access artifacts they submit

Given user_2 goes in "my notifications" and check "Notify on all updates"

When user_1 submit or update an artifact with a comment

Then user_2 receive a full snapshot of the artifact.

References

CWE-280
CVE-2024-46988

CategoryTrackers

Reported in versionAll

PlatformEmpty

Is an Enhancement or an internal improvement?

[ ] enhancement
[ ] internal improvement

CC listEmpty

Stage

Assigned toThomas Gerbet (tgerbet)

StatusClosed

Close date2024-09-18

Attachments

AttachmentsEmpty

References

Cross references

Referencing request #39686

Git commit

tuleap/tuleap/stable

fix: request #39686 Permissions are not properly checked for email notifications in trackers 05b401dd21

Thomas Gerbet (tgerbet) , 2024-09-17 10:51

Merge commit 'refs/changes/40/31940/1' of ssh://gerrit.tuleap.net:29418/tuleap into HEAD c923c5e204

Nicolas Terray (nterray) , 2024-09-18 10:47

Show items referenced by request #39686

Referenced by request #39686

Artifact Tracker v5

rel #37898 16.0

Other

Follow-ups

Thomas Gerbet (tgerbet)

2024-10-14 09:37

Public disclosure.

Thomas Gerbet (tgerbet)

2024-09-19 10:05

CVE-2024-46988 has been assigned to this issue.

Original Submission

Something went wrong, the follow up content couldn't be loaded

Only formatting have been changed, you should switch to markup to see the changes

Nicolas Terray (nterray)

2024-09-18 10:47

Status changed from Under review to Closed
Connected artifacts
- Added Fixed in: rel #37898
Close date set to 2024-09-18

Thomas Gerbet (tgerbet)

2024-09-17 10:52

See gerrit #31940.

Status changed from Under implementation to Under review

Thomas Gerbet (tgerbet)

2024-09-17 10:49

Original Submission

Something went wrong, the follow up content couldn't be loaded

Only formatting have been changed, you should switch to markup to see the changes

Thomas Gerbet (tgerbet)

2024-09-16 16:15

Status changed from Verified to Under implementation
Reported in version set to All

Thomas Gerbet (tgerbet)

2024-09-16 15:13

Status changed from New to Verified
Assigned to changed from None to Thomas Gerbet (tgerbet)