CVE-2023-38508: Preview of a linked artifact with a type does not respect permissions

Submitted byThomas Gerbet (tgerbet)

Last Modified On2023-08-21 08:45

Submitted on2023-07-25 15:08

Rank35123

Summary *

Preview of a linked artifact with a type does not respect permissions

Original Submission

The preview of an artifact link with a type does not respect the project, tracker and artifact level permissions. The issue occurs on the artifact view (not reproducible on the artifact modal).

Impact

Users might get access to information they should not have access to. Only the title, status, assigned to and last update date fields as defined by the semantics are impacted. If those fields have strict permissions (e.g. the title is only visible to a specific user group) those permissions are still enforced.
CVSSv3.1 score: 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

Exploitation

1. Have an artifact in a private project
2. With a user that is not a member of this private project edit another artifact elsewhere. Edit an artifact links field, select a type and try to preview this link with an artifact in the private project.

References

CWE 200
OWASP Top 10 Broken Access Control
CVE-2023-38508

Acknowledgement

This security issue was reported by Aurélien TISNÉ from CS Group.

Reported in versionAll

PlatformEmpty

Is an Enhancement or an internal improvement?

• [ ] enhancement
• [ ] internal improvement

CC listEmpty

Assigned toThomas Gerbet (tgerbet)

StatusClosed

Close date2023-07-26