request #45583 FRS project administrator can access releases in all projects

Infos

Artifact ID#45583

Submitted byThomas Gerbet (tgerbet)

Last Modified On2025-12-08 10:33

Submitted on2025-11-05 10:51

Rank47306

Details

Summary *

FRS project administrator can access releases in all projects

Original Submission

A FRS/project administrators in one projects can access information of file release system services in all projects without having the rights to access them.

Impact

Attackers can use this to access file release system information in project they do not have access to.
CVSSv3.1 score: 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

Exploitation

Be a project/FRS admin in a project A
Have a project B with the FRS service enabled and some content you should not have access to
Go to https://tuleap.example.com/file/<project_id_A>/package/<package_id_project_B>

References

CWE 639
CVE-2025-64497

CategoryDelivery/File release system

Reported in versionAll

PlatformEmpty

Is an Enhancement or an internal improvement?

[ ] enhancement
[ ] internal improvement

CC listEmpty

Stage

Assigned toThomas Gerbet (tgerbet)

StatusClosed

Close date2025-11-06

Attachments

AttachmentsEmpty

References

Cross references

Referencing request #45583

Git commit

tuleap/tuleap/stable

fix: request #45583 FRS project administrator can access releases in all projects 403eb69f4c

Thomas Gerbet (tgerbet) , 2025-11-06 11:37

Merge commit 'refs/changes/10/36110/4' of ssh://gerrit.tuleap.net:29418/tuleap into HEAD a9f4bf388f

Marie Ange Garnier (marieange) , 2025-11-06 13:15

Show items referenced by request #45583

Referenced by request #45583

Artifact Tracker v5

rel #45209 17.1

Git commit

tuleap/tuleap/stable

fix: request #45583 FRS project administrator can access releases in all projects 403eb69f4c

Thomas Gerbet (tgerbet) , 2025-11-06 11:37

Other

gerrit #36110

Follow-ups

Thomas Gerbet (tgerbet)

2025-12-08 10:33

Public disclosure.

Thomas Gerbet (tgerbet)

2025-11-12 09:56

Original Submission

Something went wrong, the follow up content couldn't be loaded

Only formatting have been changed, you should switch to markup to see the changes

Thomas Gerbet (tgerbet)

2025-11-07 09:03

Original Submission

Something went wrong, the follow up content couldn't be loaded

Only formatting have been changed, you should switch to markup to see the changes

Marie Ange Garnier (marieange)

2025-11-06 13:24

Connected artifacts
- Added Fixed in: rel #45209

Tracker Workflow Manager (forge__tracker_workflow_manager)

2025-11-06 13:16

request fixed by @tgerbet with git #tuleap/stable/403eb69f4cfafe52254c8f9bdbe66e1fedadc254.

Status changed from Under review to Closed
Close date set to 2025-11-06

Thomas Gerbet (tgerbet)

2025-11-05 15:44

See gerrit #36110.

Status changed from Under implementation to Under review