Tuleap Missing Cross-Site Request Forgery Protection Vulnerability in Tracker Fields Administration

A vulnerability exists in Tuleap's tracker fields administrative operations due to a lack of Cross-Site Request Forgery (CSRF) protections. This issue allows an attacker to manipulate tracker fields by removing or updating them, potentially disrupting project management workflows. The vulnerability affects Tuleap Community Edition versions prior to 16.4.99.1740414959 and Tuleap Enterprise Edition versions prior to 16.4-6 and 16.3-11.

Impact

Exploitation of this vulnerability could lead to unauthorized modifications of tracker fields, allowing for their removal or alteration. Such changes could disrupt project management processes and workflows that rely on the integrity of tracker data.

Reproduction

To reproduce this vulnerability, access the Tuleap application and navigate to the tracker fields administration section. Without the proper CSRF protections in place, an attacker could craft a request to update or remove tracker fields. This could be done by exploiting the absence of CSRF tokens, which are typically used to verify that requests made to the server are genuine and not forged by an attacker.

Remediation

Users can upgrade to Tuleap Community Edition 16.4.99.1740414959 or Tuleap Enterprise Edition 16.4-6 or 16.3-11 to address this vulnerability.