CVE-2020-29604
Description
MantisBT before 2.24.4 lacks an access check, allowing low-privileged attackers to clone private issues and leak confidential data via the COPY group action.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
MantisBT before 2.24.4 lacks an access check, allowing low-privileged attackers to clone private issues and leak confidential data via the COPY group action.
Vulnerability
Overview
CVE-2020-29604 is an authorization bypass in Mantis Bug Tracker (MantisBT) versions prior to 2.24.4. The root cause is a missing access check in bug_actiongroup.php [1][2]. When an attacker with rights to create new issues issues a COPY group action via the bug_arr[] parameter, the application clones the target issue including all bugnotes and attachments without verifying whether the attacker should have access to that issue [2].
Exploitation
Conditions
To exploit this vulnerability, an attacker must have a MantisBT account with permissions to create new issues, which is a relatively low-privilege role. The attacker then crafts a request that includes the ID of a private issue (one marked as Private or belonging to a private project) in the bug_arr[] parameter and selects the COPY group action [1][2]. The application does not verify that the user is authorized to view the source issue, thus allowing the clone to be created [4].
Impact
Successful exploitation grants the attacker full access to the cloned issue's content, including any confidential bugnotes, file attachments, and other issue metadata [2]. This can lead to the exposure of sensitive information that was intended to be restricted to a specific project or a smaller set of users. There is no requirement for the attacker to have any prior knowledge of the private issue's existence beyond its ID [2].
Mitigation
The vulnerability was fixed in MantisBT version 2.24.4, released in December 2020 [4]. The fix adds an access check in the COPY action to ensure the user is allowed to view the source issue [4]. All users of affected versions should upgrade to 2.24.4 or later. No workarounds are documented; the recommended action is to apply the patch immediately.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
mantisbt/mantisbtPackagist | < 2.24.4 | 2.24.4 |
Affected products
2- MantisBT/MantisBTdescription
Patches
1b2da7352b0adPrevent full private issue disclosure
1 file changed · +3 −0
bug_actiongroup.php+3 −0 modified@@ -101,6 +101,9 @@ config_flush_cache(); # flush the config cache so that configs are refetched } + # Make sure user has access to the bug + access_ensure_bug_level( config_get( 'view_bug_threshold' ), $t_bug_id ); + $t_status = $t_bug->status; switch( $f_action ) {
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-f38c-wxp6-8xjvghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-29604ghsaADVISORY
- github.com/mantisbt/mantisbt/commit/b2da7352b0ad31fa5f925eaacb4b2b96a6cec8e8ghsaWEB
- mantisbt.org/bugs/view.phpghsax_refsource_MISCWEB
- mantisbt.org/bugs/view.phpghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.