View Issue Details

IDProjectCategoryView StatusLast Update
0031086mantisbtsecuritypublic2023-02-22 19:23
Reporterd3vpoo1 Assigned Todregad  
PrioritynormalSeveritymajorReproducibilityhave not tried
Status closedResolutionfixed 
Product Version2.25.5 
Target Version2.25.6Fixed in Version2.25.6 
Summary0031086: CVE-2023-22476: Private issue summary disclosure
Description

Due to insufficient access-level checks, any logged-in user allowed to perform Group Actions can get access to the Summary field of private Issues (i.e. having Private view status, or belonging to a private Project) via a crafted bug_arr[] parameter in bug_actiongroup_ext.php.

GitHub security advisory
https://github.com/mantisbt/mantisbt/security/advisories/GHSA-hf4x-6h87-hm79

Steps To Reproduce
  1. As normal user submit 2 public issues
  2. Go to view_all_bug_page.php
  3. Select all of the issue and use the attach tags
  4. Open proxy
  5. Modify the id using the private issue id (on my case I will use the id of 1), then off the proxy
  6. This will redirect to bug_actiongroup_page.php
  7. Turn on again the proxy and click the attach tags, modify again the value of bug_arr with the private id
  8. This will redirect to bug_actiongroup_ext.php and this will display the summary of the private issue
Additional Information

Original report:
Hi, it's been a while. I checked the endpoints that I tested before, and the endpoint /mantisbt/bug_actiongroup_page.php allows the attacker to disclose the summary of a private issue. I use the attach_tags and modify the bug_arr using the private issue id

TagsNo tags attached.
Attached Files
1.png (39,504 bytes)   
1.png (39,504 bytes)   
2.png (91,148 bytes)   
2.png (91,148 bytes)   

Relationships

related to 0027727 closeddregad CVE-2020-29605: Disclosure of private issue summary 

Activities

d3vpoo1

d3vpoo1

2023-01-06 10:19

reporter   ~0067263

Hi team,

Checking for any possible update regarding this issue.

Thanks

dregad

dregad

2023-01-06 10:58

developer   ~0067264

Sorry, that completely fell off the radar... The end of 2022 has been hectic. Thanks for the reminder, I will look into it.

dregad

dregad

2023-01-06 19:32

developer   ~0067271

Vulnerability is confirmed.

dregad

dregad

2023-01-06 20:11

developer   ~0067272

Trying something new, requesting a CVE via GitHub advisories instead of asking MITRE.

https://github.com/mantisbt/mantisbt/security/advisories/GHSA-hf4x-6h87-hm79

dregad

dregad

2023-01-06 20:29

developer   ~0067273

@d3vpoo1 you should now have access to the private temporary repository linked to the advisory
https://github.com/mantisbt/mantisbt-ghsa-hf4x-6h87-hm79/pull/1

Your feedback on the proposed patch would be appreciated (this is pretty much the same fix as 0027727)

dregad

dregad

2023-01-08 11:16

developer   ~0067276

CVE-2023-22476 assigned

d3vpoo1

d3vpoo1

2023-01-09 06:00

reporter   ~0067277

Thank you team

dregad

dregad

2023-02-22 02:42

developer   ~0067411

Sorry for the delay in releasing this, I've been busy. Planning to cut the release today.

Related Changesets

MantisBT: master-2.25 840a4e80

2023-01-06 20:16

dregad


Details Diff
Prevent disclosure of private issue summary

Insufficient access level checks allowed an attacker to display private
issues' summary via Group Actions (bug_actiongroup_ext.php).

Going through the provided list of issue IDs (bug_arr[]) and removing
any issues the user does not have access to, fixes the vulnerability.

Credits to d3vpoo1 (https://github.com/jrckmcsb) for reporting the issue.

Fixes 0031086, CVE-2023-22476
Affected Issues
0031086
mod - bug_actiongroup_ext.php Diff File