CVE-2022-39233 MEDIUM

CVE-2022-39233: Tuleap subject to Missing Authorization allowing for branch prefix modification

Vendor Enalean
Product tuleap
Weakness CWE-862 · Missing authorization
Published October 19, 2022
Last update April 22, 2025
View on NVD All CVEs

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

Tuleap is a Free & Open Source Suite to improve management of software developments and collaboration. In versions 12.9.99.228 and above, prior to 14.0.99.24, authorizations are not properly verified when updating the branch prefix used by the GitLab repository integration. Authenticated users can change the branch prefix of any of the GitLab repository integration they can see vie the REST endpoint `PATCH /gitlab_repositories/{id}`. This action should be restricted to Git administrators. This issue is patched in Tuleap Community Edition 14.0.99.24 and Tuleap Enterprise Edition 14.0-3. There are no known workarounds.

Key dates

02Disclosure timeline

October 19, 2022 CVE published
April 22, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2022-41786 WordPress WP Job Portal Plugin <= 2.0.1 is vulnerable to Broken Access Control CVE-2026-23548 WordPress DirectoryPress plugin <= 3.6.25 - Broken Access Control vulnerability CVE-2026-27677 Missing Authorization check in SAP S/4HANA OData Service (Manage Reference Equipment) CVE-2023-48324 WordPress Awesome Support HelpDesk plugin <= 6.1.4 - Broken Access control vulnerability CVE-2025-14540 Userback <= 1.0.15 - Missing Authorization to Authenticated (Subscriber+) Plugin's Configuration Exposure