CVE-2022-31128
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Summary
Tuleap is a Free & Open Source Suite to improve management of software developments and collaboration. In affected versions Tuleap does not properly verify permissions when creating branches with the REST API in Git repositories using the fine grained permissions. Users can create branches via the REST endpoint POST git/:id/branches regardless of the permissions set on the repository. This issue has been fixed in version 13.10.99.82 Tuleap Community Edition as well as in version 13.10-3 of Tuleap Enterprise Edition. Users are advised to upgrade. There are no known workarounds for this issue.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Enalean | tuleap | >= >= 13.9.99.110, < 13.10.99.82 | affected |
Weaknesses
- CWE-862: CWE-862: Missing Authorization
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/Enalean/tuleap/security/advisories/GHSA-2p49-vgcx-5w79
- https://github.com/Enalean/tuleap/commit/58ecb1dee1c46075d3e089980301ebfbe0bafd33
- https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=58ecb1dee1c46075d3e089980301ebfbe0bafd33
- https://tuleap.net/plugins/tracker/?aid=27538
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://github.com/Enalean/tuleap/security/advisories/GHSA-2p49-vgcx-5w79
- https://github.com/Enalean/tuleap/commit/58ecb1dee1c46075d3e089980301ebfbe0bafd33
- https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=58ecb1dee1c46075d3e089980301ebfbe0bafd33
- https://tuleap.net/plugins/tracker/?aid=27538
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.