CVE-2024-47767

Tuleap lists trackers in the quick add actions of the backlog without any permissions check

Severity Score

4.3

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

Tuleap is a tool for end to end traceability of application and system developments. Prior to Tuleap Community Edition 15.13.99.113, Tuleap Enterprise Edition 15.13-5, and Tuleap Enterprise Edition 15.12-5, users might see tracker names they should not have access to. Tuleap Community Edition 15.13.99.113, Tuleap Enterprise Edition 15.13-5, and Tuleap Enterprise Edition 15.12-8 fix this issue.

*Credits: N/A

CVSS Scores

GitHubv3.1 4.3

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

Poc

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-09-30 CVE Reserved
2024-10-14 CVE Published
2024-10-15 CVE Updated
2024-10-18 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-280: Improper Handling of Insufficient Permissions or Privileges

CAPEC

References (8)

URL	Tag	Source
https://github.com/Enalean/tuleap/commit/16d9efccb2fad8e10343be2604e94c9058ef2c89	X_refsource_misc
https://github.com/Enalean/tuleap/commit/e5ce81279766115dc0f126a11d6b5065b5db7eec	X_refsource_misc
https://github.com/Enalean/tuleap/commit/f89d7093d2c576ad5e2b35a6a096fcdaf563d1df	X_refsource_misc
https://github.com/Enalean/tuleap/security/advisories/GHSA-j342-v27q-329v	X_refsource_confirm
https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=16d9efccb2fad8e10343be2604e94c9058ef2c89	X_refsource_misc
https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=e5ce81279766115dc0f126a11d6b5065b5db7eec	X_refsource_misc
https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=f89d7093d2c576ad5e2b35a6a096fcdaf563d1df	X_refsource_misc
https://tuleap.net/plugins/tracker/?aid=39728	X_refsource_misc

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Enalean Search vendor "Enalean"		Tuleap Search vendor "Enalean" for product "Tuleap"				< 15.13.99.113 Search vendor "Enalean" for product "Tuleap" and version " < 15.13.99.113"		en		Affected
Enalean Search vendor "Enalean"		Tuleap Search vendor "Enalean" for product "Tuleap"				< 15.13 Search vendor "Enalean" for product "Tuleap" and version " < 15.13"		en		Affected
Enalean Search vendor "Enalean"		Tuleap Search vendor "Enalean" for product "Tuleap"				< 15.12 Search vendor "Enalean" for product "Tuleap" and version " < 15.12"		en		Affected