The preview of an artifact link with a type does not respect the project, tracker and artifact level permissions. The issue occurs on the artifact view (not reproducible on the artifact modal).
Impact
Users might get access to information they should not have access to. Only the title, status, assigned to and last update date fields as defined by the semantics are impacted. If those fields have strict permissions (e.g. the title is only visible to a specific user group) those permissions are still enforced.
Patches
The following versions contain the fix:
- Tuleap Community Edition 14.11.99.28
- Tuleap Enterprise Edition 14.10-6
- Tuleap Enterprise Edition 14.11-3
For more information
If you have any questions or comments about this advisory, reach out to us via the contact information provided on the Tuleap.org security page.
References
atisne Reporter
The preview of an artifact link with a type does not respect the project, tracker and artifact level permissions. The issue occurs on the artifact view (not reproducible on the artifact modal).
Impact
Users might get access to information they should not have access to. Only the title, status, assigned to and last update date fields as defined by the semantics are impacted. If those fields have strict permissions (e.g. the title is only visible to a specific user group) those permissions are still enforced.
Patches
The following versions contain the fix:
For more information
If you have any questions or comments about this advisory, reach out to us via the contact information provided on the Tuleap.org security page.
References