Mantis Bug Tracker Authorization Bypass Vulnerability Allowing Access to Private Issue Attachments

An authorization bypass vulnerability has been identified in Mantis Bug Tracker (MantisBT) versions through 2.28.1. This vulnerability allows users to list and download their own attachments from issues created by others, even after those issues have been made private, thereby bypassing read access restrictions. The vulnerability arises because the attachment visibility logic allows users to retain access to their own files, despite losing visibility of the parent issue.

Impact

Exploitation of this vulnerability leads to unauthorized access to private issue attachments, although the impact is limited to files uploaded by the user themselves.

Reproduction

To reproduce this vulnerability, log in as a low-privileged user and upload a file to a public issue. Once the file is uploaded, change the issue's status to private. After confirming that access to the issue is denied, use the REST API to list the issue's attachments and download the file using the file download endpoint. This process can be automated with a simple script.

Remediation

Users can upgrade to MantisBT version 2.28.2, where this vulnerability has been fixed.