CVE-2022-23473 - Vulnerability Details - OpenCVE

Tuleap is an Open Source Suite to improve management of software developments and collaboration. In versions prior to 14.2.99.148, Authorizations are not properly verified when accessing MediaWiki standalone resources. Users with read only permissions for pages are able to also edit them. This only affects the MediaWiki standalone plugin. This issue is patched in versions Tuleap Community Edition 14.2.99.148, Tuleap Enterprise Edition 14.2-5, and Tuleap Enterprise Edition 14.1-6.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Enalean	Tuleap

Configuration 1 [-]

OR	cpe:2.3:a:enalean:tuleap:::::enterprise:::*
	cpe:2.3:a:enalean:tuleap:::::community:::*
	cpe:2.3:a:enalean:tuleap:::::enterprise:::*

No data.

References

Link	Providers
https://github.com/Enalean/tuleap/security/advisories/GHSA-c7rr-5vmc-rgcw
https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=97cac78302170a883c1d60c9fa6dfd0d95854cb9
https://tuleap.net/plugins/tracker/?aid=29645

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2022-12-13T06:46:17.479Z

Updated: 2024-08-03T03:43:46.107Z

Reserved: 2022-01-19T21:23:53.757Z

Link: CVE-2022-23473

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-12-13T07:15:09.723

Modified: 2024-11-21T06:48:38.023

Link: CVE-2022-23473

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-23473", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "requesterUserId": "c184a3d9-dc98-4c48-a45b-d2d88cf0ac74", "dateReserved": "2022-01-19T21:23:53.757Z", "datePublished": "2022-12-13T06:46:17.479Z", "dateUpdated": "2024-08-03T03:43:46.107Z"}, "containers": {"cna": {"title": "Tuleap MediaWiki standalone \"readers\" can also edit pages", "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "lang": "en", "description": "CWE-863: Incorrect Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/Enalean/tuleap/security/advisories/GHSA-c7rr-5vmc-rgcw", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Enalean/tuleap/security/advisories/GHSA-c7rr-5vmc-rgcw"}, {"name": "https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=97cac78302170a883c1d60c9fa6dfd0d95854cb9", "tags": ["x_refsource_MISC"], "url": "https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=97cac78302170a883c1d60c9fa6dfd0d95854cb9"}, {"name": "https://tuleap.net/plugins/tracker/?aid=29645", "tags": ["x_refsource_MISC"], "url": "https://tuleap.net/plugins/tracker/?aid=29645"}], "affected": [{"vendor": "Enalean", "product": "tuleap", "versions": [{"version": "< 14.2.99.148", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2022-12-13T06:46:17.479Z"}, "descriptions": [{"lang": "en", "value": "Tuleap is an Open Source Suite to improve management of software developments and collaboration. In versions prior to 14.2.99.148, Authorizations are not properly verified when accessing MediaWiki standalone resources. Users with read only permissions for pages are able to also edit them. This only affects the MediaWiki standalone plugin. This issue is patched in versions Tuleap Community Edition 14.2.99.148, Tuleap Enterprise Edition 14.2-5, and Tuleap Enterprise Edition 14.1-6."}], "source": {"advisory": "GHSA-c7rr-5vmc-rgcw", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T03:43:46.107Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/Enalean/tuleap/security/advisories/GHSA-c7rr-5vmc-rgcw", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/Enalean/tuleap/security/advisories/GHSA-c7rr-5vmc-rgcw"}, {"name": "https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=97cac78302170a883c1d60c9fa6dfd0d95854cb9", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=97cac78302170a883c1d60c9fa6dfd0d95854cb9"}, {"name": "https://tuleap.net/plugins/tracker/?aid=29645", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://tuleap.net/plugins/tracker/?aid=29645"}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:enalean:tuleap:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "B83F73F0-4A3C-4BF8-9856-69804CC7CA97", "versionEndExcluding": "14.1-6", "vulnerable": true}, {"criteria": "cpe:2.3:a:enalean:tuleap:*:*:*:*:community:*:*:*", "matchCriteriaId": "1D108E69-8674-468E-97F8-43328D59DB3F", "versionEndExcluding": "14.2.99.148", "vulnerable": true}, {"criteria": "cpe:2.3:a:enalean:tuleap:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "58282A9C-CDE2-4A05-A3CC-81CB363A6C33", "versionEndExcluding": "14.2-5", "versionStartIncluding": "14.2-1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Tuleap is an Open Source Suite to improve management of software developments and collaboration. In versions prior to 14.2.99.148, Authorizations are not properly verified when accessing MediaWiki standalone resources. Users with read only permissions for pages are able to also edit them. This only affects the MediaWiki standalone plugin. This issue is patched in versions Tuleap Community Edition 14.2.99.148, Tuleap Enterprise Edition 14.2-5, and Tuleap Enterprise Edition 14.1-6."}, {"lang": "es", "value": "Tuleap es una suite de c\u00f3digo abierto para mejorar la gesti\u00f3n de los desarrollos de software y la colaboraci\u00f3n. En versiones anteriores a la 14.2.99.148, las autorizaciones no se verifican correctamente al acceder a los recursos independientes de MediaWiki. Los usuarios con permisos de solo lectura para p\u00e1ginas tambi\u00e9n pueden editarlas. Esto s\u00f3lo afecta al complemento independiente de MediaWiki. Este problema se solucion\u00f3 en las versiones Tuleap Community Edition 14.2.99.148, Tuleap Enterprise Edition 14.2-5 y Tuleap Enterprise Edition 14.1-6."}], "id": "CVE-2022-23473", "lastModified": "2024-11-21T06:48:38.023", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-12-13T07:15:09.723", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/Enalean/tuleap/security/advisories/GHSA-c7rr-5vmc-rgcw"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=97cac78302170a883c1d60c9fa6dfd0d95854cb9"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch", "Vendor Advisory"], "url": "https://tuleap.net/plugins/tracker/?aid=29645"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/Enalean/tuleap/security/advisories/GHSA-c7rr-5vmc-rgcw"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=97cac78302170a883c1d60c9fa6dfd0d95854cb9"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Patch", "Vendor Advisory"], "url": "https://tuleap.net/plugins/tracker/?aid=29645"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "security-advisories@github.com", "type": "Secondary"}]}