Executive Summary

This vulnerability exists in Mantis Bug Tracker (MantisBT) versions 2.23.0 to 2.28.1. It is caused by a missing authorization check in the file visibility function. Because of this, any authenticated user with at least REPORTER+ permissions can download attachments on private bugnotes that they should not have access to. This unauthorized access can be done via the REST API endpoint GET /api/rest/issues/{id}/files or the SOAP API mc_issue_attachment_get endpoint. The issue is fixed in version 2.28.2.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows unauthorized users with basic authenticated access to download private attachments from bugnotes they should not be able to see. This can lead to exposure of sensitive or confidential information stored in those attachments, potentially causing data leaks or breaches.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Mantis Bug Tracker to version 2.28.2 or later, where the missing authorization check has been fixed.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability in Mantis Bug Tracker allows any authenticated user with reporter-level access to download attachments on private bugnotes they should not be authorized to access. This unauthorized access to potentially sensitive information could lead to violations of data protection regulations such as GDPR and HIPAA, which require strict controls on access to personal and sensitive data.

By exposing private attachments without proper authorization checks, the vulnerability undermines confidentiality and access control requirements mandated by these standards, potentially resulting in non-compliance and associated legal or regulatory consequences.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability allows authenticated users with REPORTER+ access to download attachments from private bugnotes via the REST API endpoint GET /api/rest/issues/{id}/files and the SOAP API mc_issue_attachment_get endpoint, bypassing proper authorization checks.

To detect exploitation attempts on your network or system, you can monitor HTTP requests targeting these specific API endpoints, especially those that include file download requests or file listing requests for private bugnotes.

Suggested commands to detect potential exploitation attempts include searching web server logs or network traffic for suspicious API calls:

• Using grep on web server logs to find REST API file listing requests: grep "/api/rest/issues/" /var/log/apache2/access.log | grep "/files"
• Searching for SOAP API mc_issue_attachment_get calls in logs or network captures, if logged.
• Using network monitoring tools (e.g., Wireshark or Zeek) to filter HTTP GET requests to endpoints matching /api/rest/issues/*/files or SOAP requests invoking mc_issue_attachment_get.

Additionally, reviewing user activity logs for authenticated users with REPORTER or higher roles accessing these endpoints can help identify unauthorized access attempts.

Useful 0 Not Useful 0