request #42231 Missing CSRF protection on tracker hierarchy administration

Infos

Artifact ID#42231

Submitted byJoris MASSON (jmasson)

Last Modified On2025-03-31 10:16

Submitted on2025-03-17 19:13

Rank43907

Details

Summary *

Missing CSRF protection on tracker hierarchy administration

Original Submission

In the administration of a Tracker, in the "Tracker hierarchy", there is no CSRF protection when choosing the list of children trackers.

Impact

An attacker could use this vulnerability to trick victims into changing the hierarchy of a tracker.

CVSSv3.1 score: 4.6 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L)

References

CWE 352
Cross-Site Request Forgery - OWASP
CVE-2025-29929

CategoryTrackers

Reported in versionAll

PlatformEmpty

Is an Enhancement or an internal improvement?

[ ] enhancement
[ ] internal improvement

CC listEmpty

Stage

Assigned toJoris MASSON (jmasson)

StatusClosed

Close date2025-03-18

Attachments

Connected artifacts

Artifact links

Releases

Fixed in

	Artifact ID	Project	Tracker	Summary	Status	Last Update Date	Submitted By	Assigned to
	rel #41092	Tuleap	Releases	16.6	Delivered	2025-03-26 17:54	Manuel Vacelet (vaceletm)

Reverse artifact links

Empty

AttachmentsEmpty

References

Cross references

Referencing request #42231

Git commit

tuleap/tuleap/stable

fix: request #42231 Missing CSRF protection on tracker hierarchy administration dce61747f3

Joris MASSON (jmasson) , 2025-03-18 12:20

Merge commit 'refs/changes/46/33846/3' of ssh://gerrit.tuleap.net:29418/tuleap into HEAD c2e5a2996b

Marie Ange Garnier (marieange) , 2025-03-18 15:05

Show items referenced by request #42231

Referenced by request #42231

Artifact Tracker v5

rel #41092 16.6

Git commit

tuleap/tuleap/stable

fix: request #42231 Missing CSRF protection on tracker hierarchy administration dce61747f3

Joris MASSON (jmasson) , 2025-03-18 12:20

Other

gerrit #33846

Follow-ups

Thomas Gerbet (tgerbet)

2025-03-31 10:16

Public disclosure.

Thomas Gerbet (tgerbet)

2025-03-27 17:38

CVE-2025-29929 has been assigned to this issue.

Original Submission

Something went wrong, the follow up content couldn't be loaded

Only formatting have been changed, you should switch to markup to see the changes

Marie Ange Garnier (marieange)

2025-03-18 15:15

Connected artifacts
- Added Fixed in: rel #41092

Tracker Workflow Manager (forge__tracker_workflow_manager)

2025-03-18 15:05

request fixed by @jmasson with git #tuleap/stable/dce61747f3a169da1f6b585ad5e6e0847fa3c950.

Status changed from Under review to Closed
Close date set to 2025-03-18

Joris MASSON (jmasson)

2025-03-18 11:56

See gerrit #33846

Status changed from Under implementation to Under review

Joris MASSON (jmasson)

2025-03-17 19:14

Original Submission

Something went wrong, the follow up content couldn't be loaded

Only formatting have been changed, you should switch to markup to see the changes