request #41434 Initial effort field does not respect field permissions in the Taskboard REST card representation

Infos

Artifact ID#41434

Submitted byThomas Gerbet (tgerbet)

Last Modified On2025-02-03 09:33

Submitted on2025-01-06 17:05

Rank43089

Details

Summary *

Initial effort field does not respect field permissions in the Taskboard REST card representation

Original Submission

The initial effort field permissions are not respected when retrieving the cards of a Taskboard.

Impact

An unauthorized user might get access to restricted information.
CVSSv3.1 score: 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

Exploitation

Restrict the initial effort field of a tracker used with the Taskboard plugin to the project administrators.
With a user that is not a project administrators try to access cards on one of the following REST endpoints (or just display the taskboard):

taskboard/:id/cards
taskboard_cards/:id
taskboard_cards/:id/children

References

CWE 280
CVE-2025-22129

CategoryAgile Dashboard

Reported in versionAll

PlatformEmpty

Is an Enhancement or an internal improvement?

[ ] enhancement
[ ] internal improvement

CC listEmpty

Stage

Assigned toThomas Gerbet (tgerbet)

StatusClosed

Close date2025-01-07

Attachments

Connected artifacts

Artifact links

Releases

Fixed in

	Artifact ID	Project	Tracker	Summary	Status	Last Update Date	Submitted By	Assigned to
	rel #39698	Tuleap	Releases	16.4	Delivered	2025-01-30 09:22	Manuel Vacelet (vaceletm)

Reverse artifact links

Empty

AttachmentsEmpty

References

Cross references

Referencing request #41434

Git commit

tuleap/tuleap/stable

fix: request #41434 Initial effort field does not respect field permissions in the Taskboard REST card representation 3edf8158ba

Thomas Gerbet (tgerbet) , 2025-01-06 17:29

Merge commit 'refs/changes/37/32937/1' of ssh://gerrit.tuleap.net:29418/tuleap into HEAD 28a13b51b6

Joris MASSON (jmasson) , 2025-01-07 10:42

Show items referenced by request #41434

Referenced by request #41434

Artifact Tracker v5

rel #39698 16.4

Git commit

tuleap/tuleap/stable

fix: request #41434 Initial effort field does not respect field permissions in the Taskboard REST card representation 3edf8158ba

Thomas Gerbet (tgerbet) , 2025-01-06 17:29

Follow-ups

Thomas Gerbet (tgerbet)

2025-02-03 09:33

Public disclosure.

Thomas Gerbet (tgerbet)

2025-01-08 09:13

CVE-2025-22129 has been assigned to this issue.

Original Submission

Something went wrong, the follow up content couldn't be loaded

Only formatting have been changed, you should switch to markup to see the changes

Joris MASSON (jmasson)

2025-01-07 10:43

Connected artifacts
- Added Fixed in: rel #39698

Tracker Workflow Manager (forge__tracker_workflow_manager)

2025-01-07 10:42

request fixed by @tgerbet with git #tuleap/stable/3edf8158ba40be66f0b661888b8b2805784795d1.

Status changed from Under implementation to Closed
Close date set to 2025-01-07

Thomas Gerbet (tgerbet)

2025-01-06 17:09

Original Submission

Something went wrong, the follow up content couldn't be loaded

Only formatting have been changed, you should switch to markup to see the changes