6.5

CVE-2024-25130

Tuleap's mass update clears the permissions on artifact field

Tuleap is an open source suite to improve management of software developments and collaboration. Prior to version 15.5.99.76 of Tuleap Community Edition and prior to versions 15.5-4 and 15.4-7 of Tuleap Enterprise Edition, users with a read access to a tracker where the mass update feature is used might get access to restricted information. Tuleap Community Edition 15.5.99.76, Tuleap Enterprise Edition 15.5-4, and Tuleap Enterprise Edition 15.4-7 contain a patch for this issue.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
EnaleanTuleap SwEditionenterprise Version < 15.4-7
EnaleanTuleap SwEditioncommunity Version < 15.5.99.76
EnaleanTuleap SwEditionenterprise Version >= 15.5 < 15.5-4
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.5% 0.385
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 6.5 2.8 3.6
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
security-advisories@github.com 5.4 1.2 4.2
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

https://github.com/Enalean/tuleap/commit/57978a32508f5c6d0365419b6eaeb368aee20667
Patch
https://github.com/Enalean/tuleap/security/advisories/GHSA-mq7f-m6mj-hjj5
Patch
Vendor Advisory
https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=57978a32508f5c6d0365419b6eaeb368aee20667
Broken Link
https://tuleap.net/plugins/tracker/?aid=36803
Vendor Advisory