Tracker report renderer and chart widgets leak information user cannot access
Package
Tuleap Community Edition
(tuleap)
Affected versions
< 13.7.99.239
Patched versions
13.7.99.239
Tuleap Enterprise Edition
(tuleap)
< 13.6-5, >= 13.7-1 && < 13.7-4
13.6-5, 13.7-4
Tuleap does not properly verify authorizations when displaying the content of tracker report renderer and chart widgets.
Impact
Malicious users could use this vulnerability to retrieve the name of tracker they cannot access as well as the name of the fields used in reports.
Patches
The following versions contain the fix:
For more information
If you have any questions or comments about this advisory, reach out to us via the contact information provided on the Tuleap.org security page.
References