Skip to main content

Public

Project privacy set to public. By default, its content is available to everyone (authenticated or not). Please note that more restrictive permissions might exist on some items.

    •  
      request #39686 Permissions are not properly checked for email notifications in trackers
    Actions
    Infos
    #39686
    Manuel Vacelet (vaceletm)
    2024-10-14 09:37
    2024-09-16 15:10
    41313
    Details
    Permissions are not properly checked for email notifications in trackers

    Permissions at the artifact level are not correctly verified when an artifact update is submitted with a follow-up comment.

    Impact

    Users might receive email notification with information they should not have access to.

    CVSSv3.1 score: 4.8 (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N)

    Exploitation

    Given a project with following configuration

    • Bug_Reporters group with user_1, user_2
    • Bug_Managers group with user_3

    Given a tracker with following tracker permissions

    • all_users, registered_users, project_members => no permissions
    • Bug_Managers => are admin of tracker
    • Bug_Reporters => can access artifacts they submit

    Given user_2 goes in "my notifications" and check "Notify on all updates"

    When user_1 submit or update an artifact with a comment

    Then user_2 receive a full snapshot of the artifact.

    References

    CWE-280
    CVE-2024-46988

    Trackers
    All
    Empty
    • [ ] enhancement
    • [ ] internal improvement
    Empty
    Stage
    Thomas Gerbet (tgerbet)
    Closed
    2024-09-18
    Attachments
    Artifact links

    Releases

    Fixed in

    Artifact ID Project Tracker Summary Status Last Update Date Submitted By Assigned to
    rel #37898 Tuleap Releases 16.0 Delivered 2024-10-09 15:47 Manuel Vacelet (vaceletm)
    Empty
    References
    Referencing request #39686

    Git commit

    tuleap/tuleap/stable

    fix: request #39686 Permissions are not properly checked for email notifications in trackers 05b401dd21
    User avatar Thomas Gerbet (tgerbet) , 2024-09-17 10:51
    Merge commit 'refs/changes/40/31940/1' of ssh://gerrit.tuleap.net:29418/tuleap into HEAD c923c5e204
    User avatar Nicolas Terray (nterray) , 2024-09-18 10:47
    Referenced by request #39686

    Artifact Tracker v5

    rel #37898 16.0

    Other

    gerrit #31940
    Display settings

    Follow-ups

    User avatar
    Thomas Gerbet (tgerbet)2024-09-19 10:05

    CVE-2024-46988 has been assigned to this issue.

    • Original Submission
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes
    User avatar
    Thomas Gerbet (tgerbet)2024-09-17 10:49
    • Original Submission
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes
    User avatar
    Thomas Gerbet (tgerbet)2024-09-16 16:15
    • Status changed from Verified to Under implementation
    • Reported in version set to All
    User avatar
    Thomas Gerbet (tgerbet)2024-09-16 15:13
    • Status changed from New to Verified
    • Assigned to changed from None to Thomas Gerbet (tgerbet)