request #43704 Artifact disclosure to a mentioned user via email notifications

Infos

Artifact ID#43704

Submitted byAntoine Sauzeau (antoinesauzeau)

Last Modified On2025-07-21 16:11

Submitted on2025-07-10 18:02

Rank45393

Details

Summary *

Artifact disclosure to a mentioned user via email notifications

Original Submission

When users are mentioned in the comments of an artifact, they receive an email notification even if they do not have the necessary permissions to access the artifact. The notification sent may contain the entire content of the artifact if field permissions allow it.

Impact

Users may potentially access confidential information from artifacts that they are not authorized to view.

CVSSv3.1 score: 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

Exploitation

Create an artifact in a tracker where access is restricted to certain users.
Comment something in this artifact and mentioning one of the users who does not have access rights.
Open the mailbox associated with this user's account.

References

CWE 863
OWASP Broken Access Control
CVE-2025-53902

CategoryTrackers

Reported in versionAll

PlatformEmpty

Is an Enhancement or an internal improvement?

[ ] enhancement
[ ] internal improvement

CC listEmpty

Stage

Assigned toAntoine Sauzeau (antoinesauzeau)

StatusClosed

Close date2025-07-15

Attachments

AttachmentsEmpty

References

Cross references

Referencing request #43704

Git commit

tuleap/tuleap/stable

fix: request #43704 Artifact disclosure to a mentioned user via email notifications ebe054df8a

Antoine Sauzeau (antoinesauzeau) , 2025-07-15 12:30

Merge commit 'refs/changes/71/34971/3' of ssh://gerrit.tuleap.net:29418/tuleap into HEAD cbe8f16b8d

Joris MASSON (jmasson) , 2025-07-15 15:20

Show items referenced by request #43704

Referenced by request #43704

Artifact Tracker v5

rel #43670 16.10

Git commit

tuleap/tuleap/stable

fix: request #43704 Artifact disclosure to a mentioned user via email notifications ebe054df8a

Antoine Sauzeau (antoinesauzeau) , 2025-07-15 12:30

Other

Follow-ups

Thomas Gerbet (tgerbet)

2025-07-21 16:11

Public disclosure.

Thomas Gerbet (tgerbet)

2025-07-15 18:34

CVE-2025-53902 has been assigned to this issue.

Original Submission

Something went wrong, the follow up content couldn't be loaded

Only formatting have been changed, you should switch to markup to see the changes

Joris MASSON (jmasson)

2025-07-15 15:22

Connected artifacts
- Added Fixed in: rel #43670

Tracker Workflow Manager (forge__tracker_workflow_manager)

2025-07-15 15:21

request fixed by @antoinesauzeau with git #tuleap/stable/ebe054df8a2672afee41af84e5ba14b57ef8b789.

Status changed from Under review to Closed
Close date set to 2025-07-15

Thomas Gerbet (tgerbet)

2025-07-11 17:27

See gerrit #34971.

Status changed from Verified to Under review

Thomas Gerbet (tgerbet)

2025-07-11 08:12

Original Submission

Something went wrong, the follow up content couldn't be loaded

Only formatting have been changed, you should switch to markup to see the changes

Thomas Gerbet (tgerbet)

2025-07-10 18:04

Status changed from Acknowledged to Verified