CVE-2024-25130 - Vulnerability Details - OpenCVE

Tuleap is an open source suite to improve management of software developments and collaboration. Prior to version 15.5.99.76 of Tuleap Community Edition and prior to versions 15.5-4 and 15.4-7 of Tuleap Enterprise Edition, users with a read access to a tracker where the mass update feature is used might get access to restricted information. Tuleap Community Edition 15.5.99.76, Tuleap Enterprise Edition 15.5-4, and Tuleap Enterprise Edition 15.4-7 contain a patch for this issue.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Enalean	Tuleap

Configuration 1 [-]

OR	cpe:2.3:a:enalean:tuleap:::::enterprise:::*
	cpe:2.3:a:enalean:tuleap:::::community:::*
	cpe:2.3:a:enalean:tuleap:::::enterprise:::*

No data.

References

Link	Providers
https://github.com/Enalean/tuleap/commit/57978a32508f5c6d0365419b6eaeb368aee20667
https://github.com/Enalean/tuleap/security/advisories/GHSA-mq7f-m6mj-hjj5
https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=57978a32508f5c6d0365419b6eaeb368aee20667
https://tuleap.net/plugins/tracker/?aid=36803

History

Wed, 05 Feb 2025 22:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Enalean Enalean tuleap
Weaknesses		NVD-CWE-noinfo
CPEs		cpe:2.3:a:enalean:tuleap:::::community:::* cpe:2.3:a:enalean:tuleap:::::enterprise:::*
Vendors & Products		Enalean Enalean tuleap

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-02-22T18:29:10.138Z

Updated: 2024-08-27T20:46:21.591Z

Reserved: 2024-02-05T14:14:46.381Z

Link: CVE-2024-25130

Vulnrichment

Updated: 2024-08-01T23:36:21.764Z

NVD

Status : Analyzed

Published: 2024-02-22T19:15:08.823

Modified: 2025-02-05T21:55:35.147

Link: CVE-2024-25130

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-25130", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-02-05T14:14:46.381Z", "datePublished": "2024-02-22T18:29:10.138Z", "dateUpdated": "2024-08-27T20:46:21.591Z"}, "containers": {"cna": {"title": "Tuleap's mass update clears the permissions on artifact field", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/Enalean/tuleap/security/advisories/GHSA-mq7f-m6mj-hjj5", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Enalean/tuleap/security/advisories/GHSA-mq7f-m6mj-hjj5"}, {"name": "https://github.com/Enalean/tuleap/commit/57978a32508f5c6d0365419b6eaeb368aee20667", "tags": ["x_refsource_MISC"], "url": "https://github.com/Enalean/tuleap/commit/57978a32508f5c6d0365419b6eaeb368aee20667"}, {"name": "https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=57978a32508f5c6d0365419b6eaeb368aee20667", "tags": ["x_refsource_MISC"], "url": "https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=57978a32508f5c6d0365419b6eaeb368aee20667"}, {"name": "https://tuleap.net/plugins/tracker/?aid=36803", "tags": ["x_refsource_MISC"], "url": "https://tuleap.net/plugins/tracker/?aid=36803"}], "affected": [{"vendor": "Enalean", "product": "tuleap", "versions": [{"version": "< 15.5.99.76", "status": "affected"}, {"version": ">= 15.5, < 15.5-4", "status": "affected"}, {"version": "< 15.4-7", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-02-22T18:29:10.138Z"}, "descriptions": [{"lang": "en", "value": "Tuleap is an open source suite to improve management of software developments and collaboration. Prior to version 15.5.99.76 of Tuleap Community Edition and prior to versions 15.5-4 and 15.4-7 of Tuleap Enterprise Edition, users with a read access to a tracker where the mass update feature is used might get access to restricted information. Tuleap Community Edition 15.5.99.76, Tuleap Enterprise Edition 15.5-4, and Tuleap Enterprise Edition 15.4-7 contain a patch for this issue."}], "source": {"advisory": "GHSA-mq7f-m6mj-hjj5", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T23:36:21.764Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/Enalean/tuleap/security/advisories/GHSA-mq7f-m6mj-hjj5", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/Enalean/tuleap/security/advisories/GHSA-mq7f-m6mj-hjj5"}, {"name": "https://github.com/Enalean/tuleap/commit/57978a32508f5c6d0365419b6eaeb368aee20667", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/Enalean/tuleap/commit/57978a32508f5c6d0365419b6eaeb368aee20667"}, {"name": "https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=57978a32508f5c6d0365419b6eaeb368aee20667", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=57978a32508f5c6d0365419b6eaeb368aee20667"}, {"name": "https://tuleap.net/plugins/tracker/?aid=36803", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://tuleap.net/plugins/tracker/?aid=36803"}]}, {"affected": [{"vendor": "enalean", "product": "tuleap", "cpes": ["cpe:2.3:a:enalean:tuleap:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "15.5.99.76", "versionType": "custom"}, {"version": "15.5", "status": "affected", "lessThan": "15.5-4", "versionType": "custom"}, {"version": "0", "status": "affected", "lessThan": "15.4-7", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-02-26T17:53:47.840456Z", "id": "CVE-2024-25130", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-27T20:46:21.591Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/Enalean/tuleap/security/advisories/GHSA-mq7f-m6mj-hjj5", "name": "https://github.com/Enalean/tuleap/security/advisories/GHSA-mq7f-m6mj-hjj5", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/Enalean/tuleap/commit/57978a32508f5c6d0365419b6eaeb368aee20667", "name": "https://github.com/Enalean/tuleap/commit/57978a32508f5c6d0365419b6eaeb368aee20667", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=57978a32508f5c6d0365419b6eaeb368aee20667", "name": "https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=57978a32508f5c6d0365419b6eaeb368aee20667", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://tuleap.net/plugins/tracker/?aid=36803", "name": "https://tuleap.net/plugins/tracker/?aid=36803", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T23:36:21.764Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-25130", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-02-26T17:53:47.840456Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:enalean:tuleap:*:*:*:*:*:*:*:*"], "vendor": "enalean", "product": "tuleap", "versions": [{"status": "affected", "version": "0", "lessThan": "15.5.99.76", "versionType": "custom"}, {"status": "affected", "version": "15.5", "lessThan": "15.5-4", "versionType": "custom"}, {"status": "affected", "version": "0", "lessThan": "15.4-7", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-27T20:42:03.650Z"}}], "cna": {"title": "Tuleap's mass update clears the permissions on artifact field", "source": {"advisory": "GHSA-mq7f-m6mj-hjj5", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "Enalean", "product": "tuleap", "versions": [{"status": "affected", "version": "< 15.5.99.76"}, {"status": "affected", "version": ">= 15.5, < 15.5-4"}, {"status": "affected", "version": "< 15.4-7"}]}], "references": [{"url": "https://github.com/Enalean/tuleap/security/advisories/GHSA-mq7f-m6mj-hjj5", "name": "https://github.com/Enalean/tuleap/security/advisories/GHSA-mq7f-m6mj-hjj5", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/Enalean/tuleap/commit/57978a32508f5c6d0365419b6eaeb368aee20667", "name": "https://github.com/Enalean/tuleap/commit/57978a32508f5c6d0365419b6eaeb368aee20667", "tags": ["x_refsource_MISC"]}, {"url": "https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=57978a32508f5c6d0365419b6eaeb368aee20667", "name": "https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=57978a32508f5c6d0365419b6eaeb368aee20667", "tags": ["x_refsource_MISC"]}, {"url": "https://tuleap.net/plugins/tracker/?aid=36803", "name": "https://tuleap.net/plugins/tracker/?aid=36803", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Tuleap is an open source suite to improve management of software developments and collaboration. Prior to version 15.5.99.76 of Tuleap Community Edition and prior to versions 15.5-4 and 15.4-7 of Tuleap Enterprise Edition, users with a read access to a tracker where the mass update feature is used might get access to restricted information. Tuleap Community Edition 15.5.99.76, Tuleap Enterprise Edition 15.5-4, and Tuleap Enterprise Edition 15.4-7 contain a patch for this issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-02-22T18:29:10.138Z"}}}, "cveMetadata": {"cveId": "CVE-2024-25130", "state": "PUBLISHED", "dateUpdated": "2024-08-27T20:46:21.591Z", "dateReserved": "2024-02-05T14:14:46.381Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-02-22T18:29:10.138Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:enalean:tuleap:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "00C1AA2F-2986-49C6-A558-A479543600CB", "versionEndExcluding": "15.4-7", "vulnerable": true}, {"criteria": "cpe:2.3:a:enalean:tuleap:*:*:*:*:community:*:*:*", "matchCriteriaId": "BE65762A-F5B7-451D-B081-9424FE3A4FE9", "versionEndExcluding": "15.5.99.76", "vulnerable": true}, {"criteria": "cpe:2.3:a:enalean:tuleap:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "8DA2EE66-8C5E-4E15-903E-3DE016F5207A", "versionEndExcluding": "15.5-4", "versionStartIncluding": "15.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Tuleap is an open source suite to improve management of software developments and collaboration. Prior to version 15.5.99.76 of Tuleap Community Edition and prior to versions 15.5-4 and 15.4-7 of Tuleap Enterprise Edition, users with a read access to a tracker where the mass update feature is used might get access to restricted information. Tuleap Community Edition 15.5.99.76, Tuleap Enterprise Edition 15.5-4, and Tuleap Enterprise Edition 15.4-7 contain a patch for this issue."}, {"lang": "es", "value": "Tuleap es una suite de c\u00f3digo abierto para mejorar la gesti\u00f3n de los desarrollos de software y la colaboraci\u00f3n. Antes de la versi\u00f3n 15.5.99.76 de Tuleap Community Edition y antes de las versiones 15.5-4 y 15.4-7 de Tuleap Enterprise Edition, los usuarios con acceso de lectura a un rastreador donde se utiliza la funci\u00f3n de actualizaci\u00f3n masiva pod\u00edan obtener acceso a informaci\u00f3n restringida. Tuleap Community Edition 15.5.99.76, Tuleap Enterprise Edition 15.5-4 y Tuleap Enterprise Edition 15.4-7 contienen un parche para este problema."}], "id": "CVE-2024-25130", "lastModified": "2025-02-05T21:55:35.147", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 4.2, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-02-22T19:15:08.823", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/Enalean/tuleap/commit/57978a32508f5c6d0365419b6eaeb368aee20667"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/Enalean/tuleap/security/advisories/GHSA-mq7f-m6mj-hjj5"}, {"source": "security-advisories@github.com", "tags": ["Broken Link"], "url": "https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=57978a32508f5c6d0365419b6eaeb368aee20667"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://tuleap.net/plugins/tracker/?aid=36803"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/Enalean/tuleap/commit/57978a32508f5c6d0365419b6eaeb368aee20667"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/Enalean/tuleap/security/advisories/GHSA-mq7f-m6mj-hjj5"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Broken Link"], "url": "https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=57978a32508f5c6d0365419b6eaeb368aee20667"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://tuleap.net/plugins/tracker/?aid=36803"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}