6.5

CVE-2025-64497

Tuleap exposes releases for all projects to File Release System project administrators

Tuleap is an Open Source Suite for management of software development and collaboration. Versions below 17.0.99.1762431347 of  Tuleap Community Edition and Tuleap Enterprise Edition below 17.0-2, 16.13-7 and 16.12-10 allow attackers to access file release system information in projects they do not have access to. This issue is fixed in version 17.0.99.1762431347 of the Tuleap Community Edition and versions 17.0-2, 16.13-7 and 16.12-10 of Tuleap Enterprise Edition.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
EnaleanTuleap SwEditionenterprise Version < 16.12-10
EnaleanTuleap SwEditioncommunity Version < 17.0.99.1762431347
EnaleanTuleap SwEditionenterprise Version >= 16.13 < 16.13-7
EnaleanTuleap SwEditionenterprise Version >= 17.0 < 17.0-2
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.24% 0.148
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 6.5 2.8 3.6
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
security-advisories@github.com 6.5 2.8 3.6
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CWE-639 Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

https://github.com/Enalean/tuleap/security/advisories/GHSA-v6vm-6rxf-7p2v
Vendor Advisory
https://github.com/Enalean/tuleap/commit/403eb69f4cfafe52254c8f9bdbe66e1fedadc254
Patch
https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=403eb69f4cfafe52254c8f9bdbe66e1fedadc254
Patch
Broken Link
https://tuleap.net/plugins/tracker/?aid=45583
Vendor Advisory
Issue Tracking