Tuleap Unauthorized Information Access Vulnerability

A vulnerability exists in Tuleap Community Edition versions prior to 16.3.99.1736242932 and Tuleap Enterprise Edition versions prior to 16.2-5 and 16.3-2. This vulnerability allows an unauthorized user to access restricted information. The issue arises because the initial effort field permissions are not properly enforced when retrieving Taskboard cards via certain REST endpoints.

Impact

Exploitation of this vulnerability could lead to unauthorized access to restricted information, specifically related to Taskboard management.

Reproduction

To reproduce this vulnerability, restrict the initial effort field permissions of a tracker used with the Taskboard plugin, allowing access only to project administrators. Then, with a user account that does not have project administrator privileges, attempt to access Taskboard cards through the REST endpoints 'taskboard/:id/cards', 'taskboard_cards/:id', or 'taskboard_cards/:id/children'.

Remediation

Users are advised to upgrade to Tuleap Community Edition 16.3.99.1736242932, Tuleap Enterprise Edition 16.2-5, or Tuleap Enterprise Edition 16.3-2.