Tuleap
Moderate fix3 remedies
cpe:2.3:a:tuleap:tuleap:*:*:*:*:*:*:*
Moderate fix3 remedies
- < 16.11.99.1757427600
- < 16.11-6
- < 16.10-8
Tuleap Backlog Tracker Permission Vulnerability
Vulnerability
Patched
A vulnerability exists in Tuleap's backlog item representations, specifically in versions prior to 16.11.99.1757427600 for the Community Edition and prior to 16.11-6 and 16.10-8 for the Enterprise Edition. The issue arises because the representations do not properly verify permissions for child trackers. As a result, users may be able to see tracker names that they should not have access to.
Impact
This vulnerability could lead to unauthorized visibility of tracker names, allowing users to see trackers they should not have access to.
Reproduction
To reproduce this vulnerability, a user must be assigned to a tracker that has child trackers not accessible to them. When viewing a backlog item that contains these child trackers, the user will see tracker names they should not have access to.
Remediation
Users can upgrade to Tuleap Community Edition 16.11.99.1757427600 or Tuleap Enterprise Edition 16.11-6 or 16.10-8 to address this vulnerability.
Added: Sep 18, 2025, 4:12 PM
Updated: Sep 18, 2025, 4:12 PM
Vulnerability Rating
Custom Algorithm
spread
1.9impact
2.5exploitability
6.6remediation
7.7relevance
0.5threat
6.4urgency
2.9incentive
1.7Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.