Skip to main content

Public

Project privacy set to public. By default, its content is available to everyone (authenticated or not). Please note that more restrictive permissions might exist on some items.

    •  
      request #44489 Backlog item representations do not verify the permissions of the child trackers
    Actions
    Infos
    #44489
    Marion Calvy (mclv)
    2025-09-18 09:09
    2025-09-08 10:58
    46195
    Details
    Backlog item representations do not verify the permissions of the child trackers

    Impact

    Users might see tracker names they should not have access to.

    CVSSv3.1 score: 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

    Exploitation

    Have a user that cannot access a tracker and have this tracker in children trackers of a backlog item.

    The quick add children action should not show the trackers not accessible to the users.

    References

    CWE-280
    CVE-2025-59040

    Agile Dashboard
    All
    Empty
    • [ ] enhancement
    • [ ] internal improvement
    Empty
    Stage
    Thomas Gerbet (tgerbet)
    Closed
    2025-09-09
    Attachments
    Empty
    References
    Referencing request #44489

    Git commit

    tuleap/tuleap/stable

    fix: request #44489: Backlog item representations do not verify the permissions of the child trackers 92e4aa2d83
    User avatar Thomas Gerbet (tgerbet) , 2025-09-09 15:25
    Merge commit 'refs/changes/23/35523/5' of ssh://gerrit.tuleap.net:29418/tuleap into HEAD 7e25ecdbc7
    User avatar Nicolas Terray (nterray) , 2025-09-09 16:19
    Display settings

    Follow-ups

    User avatar
    Thomas Gerbet (tgerbet)2025-09-10 15:38

    CVE-2025-59040 has been assigned to this issue.

    • Original Submission
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes
    User avatar
    Thomas Gerbet (tgerbet)2025-09-09 11:30

    Re-formated the sumarry to match Tuleap advisory style.

    Fix is being reviewed here: gerrit #35523.

    • Summary
      -Bug in submission rights in backlog mode 
      +Backlog item representations do not verify the permissions of the child trackers 
    • Original Submission
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes
    User avatar
    Thomas Gerbet (tgerbet)2025-09-08 17:37

    Hello,

    Thanks for the report. We have been able to confirm the issue and are considering this to be a security issue. We have started to work on a fix, we will keep you updated.

    • Category set to Agile Dashboard
    • Status changed from New to Under implementation
    • Assigned to changed from None to Thomas Gerbet (tgerbet)
    • Reported in version set to All