CVE-2022-24896

Tuleap is a Free & Open Source Suite to manage software developments and collaboration. In versions prior to 13.7.99.239 Tuleap does not properly verify authorizations when displaying the content of tracker report renderer and chart widgets. Malicious users could use this vulnerability to retrieve the name of a tracker they cannot access as well as the name of the fields used in reports.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
4.3 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
GitHub_MCNA
4.3 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 36%
VendorProductVersion
enaleantuleap
𝑥
< 13.6-5
enaleantuleap
𝑥
< 13.7.99.239
enaleantuleap
13.7-1 ≤
𝑥
< 13.7-4
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/Enalean/tuleap/commit/8e99e7c82d9fe569799019b9e1d614d38a184313
https://github.com/Enalean/tuleap/security/advisories/GHSA-x962-x43g-qw39
https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=8e99e7c82d9fe569799019b9e1d614d38a184313
https://tuleap.net/plugins/tracker/?aid=26729
https://github.com/Enalean/tuleap/commit/8e99e7c82d9fe569799019b9e1d614d38a184313
https://github.com/Enalean/tuleap/security/advisories/GHSA-x962-x43g-qw39
https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=8e99e7c82d9fe569799019b9e1d614d38a184313
https://tuleap.net/plugins/tracker/?aid=26729