Plane Cross-Project Issue Date Modification Vulnerability

A vulnerability in Plane, an open-source project management tool, prior to version 1.3.0, allows project members with ADMIN or MEMBER roles to indiscriminately alter the start_date and target_date of any issue across the entire Plane instance. This issue arises from the IssueBulkUpdateDateEndpoint, which retrieves issues by ID without applying any filters for workspace or project, thereby facilitating unauthorized cross-boundary data modifications. The vulnerability disrupts workspace isolation, a critical security boundary in multi-tenant deployments, and can interfere with project planning by manipulating important deadlines and timelines.

Impact

This vulnerability allows any authenticated project member to change issue dates in any workspace or project, breaking essential workspace isolation in multi-tenant environments. Such alterations can disrupt project timelines and deadlines, causing potential chaos in project management.

Reproduction

To reproduce this vulnerability, an authenticated user with a MEMBER role in any project can send a POST request to the IssueBulkUpdateDateEndpoint, including the UUID of a target issue from a different workspace or project. The request will bypass workspace and project boundaries, allowing the user to modify the issue's dates without authorization.

Remediation

Users are advised to update Plane to version 1.3.0 or later, where this vulnerability has been fixed.