CVE-2024-47766

Tuleap is a tool for end to end traceability of application and system developments. Prior to Tuleap Community Edition 15.13.99.110, Tuleap Enterprise Edition 15.13-5, and Tuleap Enterprise Edition 15.12-5, administrators of a project can access the content of trackers with permissions restrictions of project they are members of but not admin via the cross tracker search widget. Tuleap Community Edition 15.13.99.110, Tuleap Enterprise Edition 15.13-5, and Tuleap Enterprise Edition 15.12-8 fix this issue.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
4.9 MEDIUM
NETWORK
LOW
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
GitHub_MCNA
4.9 MEDIUM
NETWORK
LOW
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 21%
VendorProductVersion
enaleantuleap
𝑥
< 15.12-8
enaleantuleap
𝑥
< 15.13.99.110
enaleantuleap
15.13-0 ≤
𝑥
< 15.13-5
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/Enalean/tuleap/commit/529d11b70796589767dd27a40ebadf3eaf8f5674
https://github.com/Enalean/tuleap/security/advisories/GHSA-qfrh-fv84-93hx
https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=529d11b70796589767dd27a40ebadf3eaf8f5674
https://tuleap.net/plugins/tracker/?aid=39736