Description
Tuleap is a Free & Open Source Suite to improve management of software developments and collaboration. In versions prior to 13.9.99.95 Tuleap does not sanitize properly user inputs when constructing the SQL query to retrieve data for the tracker reports. An attacker with the capability to create a new tracker can execute arbitrary SQL queries. Users are advised to upgrade. There is no known workaround for this issue.
References (4)
Core 4
Core References
Third Party Advisory x_refsource_confirm
https://github.com/Enalean/tuleap/security/advisories/GHSA-4v2p-rwq9-3vjf
Patch, Third Party Advisory x_refsource_misc
https://github.com/Enalean/tuleap/commit/b91bcd57c8344ec2a4c1833629e400cef4dd901a
Patch, Vendor Advisory x_refsource_misc
https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=b91bcd57c8344ec2a4c1833629e400cef4dd901a
Issue Tracking, Vendor Advisory x_refsource_misc
https://tuleap.net/plugins/tracker/?aid=27172
Scores
CVSS v3
7.2
EPSS
0.0134
EPSS Percentile
80.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-89
Status
published
Products (2)
enalean/tuleap
< 13.9.99.111
enalean/tuleap
13.8.0 - 13.8.6
Published
Jun 29, 2022
Tracked Since
Feb 18, 2026