View Issue Details

IDProjectCategoryView StatusLast Update
0034434mantisbtsecuritypublic2024-05-12 12:34
Reportervboctor Assigned Tovboctor  
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionfixed 
Product Version2.26.1 
Target Version2.26.2Fixed in Version2.26.2 
Summary0034434: CVE-2024-34080: Don't hyperlink references to notes whose issues are not accessible to user
Description

If an issue references another issue that the user doesn't have access to, then it doesn't get hyperlinked.
If an issue references a private note that the user can't view, then it doesn't get hyperlinked.

However, if an issue references a note that belongs to an issue that the user doesn't have access to, then it gets hyperlinked. Clicking on the link gives an access denied, however, the link, link label, and tooltip are available.

The information disclosed is:

  • note author name
  • note creation timestamp
  • issue id the note belongs to.
  • existence of the note.
Additional Information

https://github.com/mantisbt/mantisbt/security/advisories/GHSA-99jc-wqmr-ff2q

TagsNo tags attached.

Relationships

related to 0034435 closedvboctor Issue note links don't reflect if issue is resolved 

Activities

vboctor

vboctor

2024-05-05 16:12

manager   ~0068890

PR: https://github.com/mantisbt/mantisbt/pull/2000

dregad

dregad

2024-05-05 18:30

developer   ~0068891

Last edited: 2024-05-05 18:30

@vboctor I suppose you created this as a private issue due to the information disclosure aspect of the bug ?

If that is the case, then why are you creating a regular Github pull request, which is publicly accessible ? And is that the reason why you labelled it "refactoring" (it's not)...

Being a security issue, we need a CVE ID for it. This is easily done by opening an Advisory (for future reference: https://github.com/mantisbt/mantisbt/security/advisories/new), which also gives us the possibility to create a private fork that can be used to work on the patch without disclosing anything until we're ready to publish it.

I have opened GHSA-99jc-wqmr-ff2q.

dregad

dregad

2024-05-06 10:45

developer   ~0068903

CVE-2024-34080 assigned

Related Changesets

MantisBT: master-2.26 0a505623

2024-05-05 15:54

vboctor

Committer: dregad


Details Diff
Fix access level check for note links

Fixes 0034434
Affected Issues
0034434
mod - core/string_api.php Diff File