Lucene search

GitHub_MCVELIST:CVE-2024-30246

HistoryMar 29, 2024 - 3:50 p.m.

CVE-2024-30246 Tuleap deleting or moving an artifact can delete values from unrelated artifacts

2024-03-2915:50:19

CWE-440

CWE-670

GitHub_M

www.cve.org

tuleap

vulnerability

deletion

unrelated

artifact

values

fix

version

disclosure

restricted

information

open source

collaboration

7.6 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L

7.8 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.7%

JSON

Tuleap is an Open Source Suite to improve management of software developments and collaboration. A malicious user could exploit this issue on purpose to delete information on the instance or possibly gain access to restricted artifacts. It is however not possible to control exactly which information is deleted. Information from theDate, File, Float, Int, List, OpenList, Text, and Permissions on artifact (this one can lead to the disclosure of restricted information) fields can be impacted. This vulnerability is fixed in Tuleap Community Edition version 15.7.99.6 and Tuleap Enterprise Edition 15.7-2, 15.6-5, 15.5-6, 15.4-8, 15.3-6, 15.2-5, 15.1-9, 15.0-9, and 14.12-6.

CNA Affected

[
  {
    "vendor": "Enalean",
    "product": "tuleap",
    "versions": [
      {
        "version": ">= 14.11.99.34, < 15.7.99.6 ",
        "status": "affected"
      }
    ]
  }
]

References

github.com/Enalean/tuleap/commit/a0ba0ae82a29eb8bfacef286778e5e49954f5316

github.com/Enalean/tuleap/security/advisories/GHSA-jc7g-4pcv-8jcj

tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=a0ba0ae82a29eb8bfacef286778e5e49954f5316

tuleap.net/plugins/tracker/?aid=37545