CVE-2024-47766 MEDIUM

CVE-2024-47766: Permissions are incorrectly verified for project administrators in the cross tracker search widget

Vendor Enalean
Product tuleap
Weakness CWE-280
Published October 14, 2024
Last update October 15, 2024

CVSS base score

4.9/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

Tuleap is a tool for end to end traceability of application and system developments. Prior to Tuleap Community Edition 15.13.99.110, Tuleap Enterprise Edition 15.13-5, and Tuleap Enterprise Edition 15.12-5, administrators of a project can access the content of trackers with permissions restrictions of project they are members of but not admin via the cross tracker search widget. Tuleap Community Edition 15.13.99.110, Tuleap Enterprise Edition 15.13-5, and Tuleap Enterprise Edition 15.12-8 fix this issue.

Key dates

02Disclosure timeline

October 14, 2024 CVE published
October 15, 2024 Record updated