2290750 – (CVE-2024-36399) CVE-2024-36399 kanboard: Improper access control

Bug 2290750 (CVE-2024-36399) - CVE-2024-36399 kanboard: Improper access control

Summary: CVE-2024-36399 kanboard: Improper access control

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2024-36399
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2290751
Blocks:
TreeView+	depends on / blocked

Reported:	2024-06-06 17:33 UTC by Pedro Sampaio
Modified:	2024-06-07 15:11 UTC (History)
CC List:	0 users
Fixed In Version:	python-kanboard 1.2.37
Clone Of:
Environment:
Last Closed:	2024-06-07 15:09:17 UTC
Embargoed:

Attachments	(Terms of Use)

Description Pedro Sampaio 2024-06-06 17:33:02 UTC

Kanboard is project management software that focuses on the Kanban methodology. The vuln is in app/Controller/ProjectPermissionController.php function addUser(). The users permission to add users to a project only get checked on the URL parameter project_id. If the user is authorized to add users to this project the request gets processed. The users permission for the POST BODY parameter project_id does not get checked again while processing. An attacker with the 'Project Manager' on a single project may take over any other project. The vulnerability is fixed in 1.2.37.

https://github.com/kanboard/kanboard/commit/b6703688aac8187f5ea4d4d704fc7afeeffeafa7
https://github.com/kanboard/kanboard/security/advisories/GHSA-x8v7-3ghx-65cv

Comment 1 Pedro Sampaio 2024-06-06 17:33:15 UTC

Created python-kanboard tracking bugs for this issue:

Affects: fedora-all [bug 2290751]

Comment 2 Pedro Sampaio 2024-06-07 15:11:21 UTC

python-kanboard is a client to kanboard and not the core server. Closing as notabug.

Note You need to log in before you can comment on or make changes to this bug.