Tuleap Cross Tracker Search Widget Artifact Permission Vulnerability

A vulnerability exists in the Cross Tracker Search widget of Tuleap, an open-source software development and collaboration suite. This issue allows users, potentially anonymous, to access artifacts they should not be able to see. The vulnerability is present in Tuleap Community Edition versions prior to 16.3.99.1737562605, as well as in Tuleap Enterprise Edition versions prior to 16.3-5 and 16.2-7. The root cause is a failure to properly verify artifact permissions, particularly for trackers that restrict access to artifacts submitted by the user.

Impact

The vulnerability could lead to unauthorized access to artifacts, allowing users to view items they do not have permission to see.

Reproduction

To reproduce this vulnerability, add a Cross Tracker Search widget to the dashboard of a public Tuleap project. Ensure that the tracker being searched has artifacts restricted to their submitters. When the widget performs a search, it may return artifacts that the user should not have access to.

Remediation

Users are advised to upgrade to Tuleap Community Edition 16.3.99.1737562605, Tuleap Enterprise Edition 16.3-5, or Tuleap Enterprise Edition 16.2-7.