CVE-2024-47766

Public Exploit

Permissions are incorrectly verified for project administrators in the cross tracker search widget

Description

Tuleap is a tool for end to end traceability of application and system developments. Prior to Tuleap Community Edition 15.13.99.110, Tuleap Enterprise Edition 15.13-5, and Tuleap Enterprise Edition 15.12-5, administrators of a project can access the content of trackers with permissions restrictions of project they are members of but not admin via the cross tracker search widget. Tuleap Community Edition 15.13.99.110, Tuleap Enterprise Edition 15.13-5, and Tuleap Enterprise Edition 15.12-8 fix this issue.

References

Link	Tags
https://github.com/Enalean/tuleap/security/advisories/GHSA-qfrh-fv84-93hx	third party advisory patch exploit
https://github.com/Enalean/tuleap/commit/529d11b70796589767dd27a40ebadf3eaf8f5674	patch
https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=529d11b70796589767dd27a40ebadf3eaf8f5674	patch issue tracking
https://tuleap.net/plugins/tracker/?aid=39736	third party advisory exploit

Frequently Asked Questions

What is the severity of CVE-2024-47766?: CVE-2024-47766 has been scored as a medium severity vulnerability.
How to fix CVE-2024-47766?: To fix CVE-2024-47766, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2024-47766 being actively exploited in the wild?: It is possible that CVE-2024-47766 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-47766?: CVE-2024-47766 affects Enalean tuleap.

Description

Categories

CWE-280 – Improper Handling of Insufficient Permissions or Privileges

CWE-755 – Improper Handling of Exceptional Conditions

References

Frequently Asked Questions