CVE-2023-32072

Tuleap is an open source tool for end to end traceability of application and system developments. Tuleap Community Edition prior to version 14.8.99.60 and Tuleap Enterprise edition prior to 14.8-3 and 14.7-7, the logs of the triggered Jenkins job URLs are not properly escaped. A malicious Git administrator can setup a malicious Jenkins hook to make a victim, also a Git administrator, execute uncontrolled code. Tuleap Community Edition 14.8.99.60, Tuleap Enterprise Edition 14.8-3, and Tuleap Enterprise Edition 14.7-7 contain a patch for this issue.

CVSS v3 4.8 MEDIUM

4.8^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.7 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/Enalean/tuleap/commit/6840529def97f564844e810e5a7c5bf837cf58d5	Patch
https://github.com/Enalean/tuleap/security/advisories/GHSA-6prc-j58r-fmjq	Vendor Advisory
https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=6840529def97f564844e810e5a7c5bf837cf58d5	Patch
https://tuleap.net/plugins/tracker/?aid=31929	Vendor Advisory
https://github.com/Enalean/tuleap/commit/6840529def97f564844e810e5a7c5bf837cf58d5	Patch
https://github.com/Enalean/tuleap/security/advisories/GHSA-6prc-j58r-fmjq	Vendor Advisory
https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=6840529def97f564844e810e5a7c5bf837cf58d5	Patch
https://tuleap.net/plugins/tracker/?aid=31929	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:enalean:tuleap:::::enterprise:::*
	cpe:2.3:a:enalean:tuleap:::::community:::*
	cpe:2.3:a:enalean:tuleap:::::enterprise:::*

History

21 Nov 2024, 08:02

Type	Values Removed	Values Added
References	~~() https://github.com/Enalean/tuleap/commit/6840529def97f564844e810e5a7c5bf837cf58d5 - Patch~~	() https://github.com/Enalean/tuleap/commit/6840529def97f564844e810e5a7c5bf837cf58d5 - Patch
References	~~() https://github.com/Enalean/tuleap/security/advisories/GHSA-6prc-j58r-fmjq - Vendor Advisory~~	() https://github.com/Enalean/tuleap/security/advisories/GHSA-6prc-j58r-fmjq - Vendor Advisory
References	~~() https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=6840529def97f564844e810e5a7c5bf837cf58d5 - Patch~~	() https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=6840529def97f564844e810e5a7c5bf837cf58d5 - Patch
References	~~() https://tuleap.net/plugins/tracker/?aid=31929 - Vendor Advisory~~	() https://tuleap.net/plugins/tracker/?aid=31929 - Vendor Advisory

05 Jun 2023, 15:42

Type	Values Removed	Values Added
CPE		cpe:2.3:a:enalean:tuleap:::::community:::* cpe:2.3:a:enalean:tuleap:::::enterprise:::*
First Time		Enalean tuleap Enalean
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 4.8
CWE		CWE-79
References	~~(MISC) https://tuleap.net/plugins/tracker/?aid=31929 -~~	(MISC) https://tuleap.net/plugins/tracker/?aid=31929 - Vendor Advisory
References	~~(MISC) https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=6840529def97f564844e810e5a7c5bf837cf58d5 -~~	(MISC) https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=6840529def97f564844e810e5a7c5bf837cf58d5 - Patch
References	~~(MISC) https://github.com/Enalean/tuleap/commit/6840529def97f564844e810e5a7c5bf837cf58d5 -~~	(MISC) https://github.com/Enalean/tuleap/commit/6840529def97f564844e810e5a7c5bf837cf58d5 - Patch
References	~~(MISC) https://github.com/Enalean/tuleap/security/advisories/GHSA-6prc-j58r-fmjq -~~	(MISC) https://github.com/Enalean/tuleap/security/advisories/GHSA-6prc-j58r-fmjq - Vendor Advisory

29 May 2023, 21:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-05-29 21:15

Updated : 2024-11-21 08:02

NVD link : CVE-2023-32072

Mitre link : CVE-2023-32072

CVE.ORG link : CVE-2023-32072

JSON object : View

Products Affected

enalean

tuleap

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

4.8 /10