CVE-2022-24896

Опубликовано: 09 июн. 2022

Источник: nvd

CVSS3: 4.3

CVSS2: 4

EPSS Низкий

Описание

Tuleap is a Free & Open Source Suite to manage software developments and collaboration. In versions prior to 13.7.99.239 Tuleap does not properly verify authorizations when displaying the content of tracker report renderer and chart widgets. Malicious users could use this vulnerability to retrieve the name of a tracker they cannot access as well as the name of the fields used in reports.

Ссылки

https://github.com/Enalean/tuleap/commit/8e99e7c82d9fe569799019b9e1d614d38a184313
Patch
Third Party Advisory
https://github.com/Enalean/tuleap/security/advisories/GHSA-x962-x43g-qw39
Patch
Third Party Advisory
https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=8e99e7c82d9fe569799019b9e1d614d38a184313
Patch
Vendor Advisory
https://tuleap.net/plugins/tracker/?aid=26729
Issue Tracking
Vendor Advisory
https://github.com/Enalean/tuleap/commit/8e99e7c82d9fe569799019b9e1d614d38a184313
Patch
Third Party Advisory
https://github.com/Enalean/tuleap/security/advisories/GHSA-x962-x43g-qw39
Patch
Third Party Advisory
https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=8e99e7c82d9fe569799019b9e1d614d38a184313
Patch
Vendor Advisory
https://tuleap.net/plugins/tracker/?aid=26729
Issue Tracking
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:enalean:tuleap:*:*:*:*:enterprise:*:*:*

Версия до 13.6-5 (исключая)

cpe:2.3:a:enalean:tuleap:*:*:*:*:community:*:*:*

Версия до 13.7.99.239 (исключая)

cpe:2.3:a:enalean:tuleap:*:*:*:*:enterprise:*:*:*

Версия от 13.7-1 (включая) до 13.7-4 (исключая)

EPSS

Процентиль: 37%

0.00157

Низкий

4.3 Medium

CVSS3

4 Medium

CVSS2

Дефекты

CWE-862