CVE-2025-27401

Published: Mar 4, 2025

Modified: Mar 4, 2025

PUBLISHED

CVSS v3.1

4.6

MEDIUM

Description

Tuleap is an Open Source Suite to improve management of software developments and collaboration. In a standard usages of Tuleap, the issue has a limited impact, it will mostly leave dangling data. However, a malicious user could create and delete reports multiple times to cycle through all the filters of all reports of the instance and delete them. The malicious user only needs to have access to one tracker. This would result in the loss of all criteria filters forcing users and tracker admins to re-create them. This vulnerability is fixed in Tuleap Community Edition 16.4.99.1740498975 and Tuleap Enterprise Edition 16.4-6 and 16.3-11.

Vendor	Product	Versions
Enalean	tuleap	affected `< 16.4.99.1740498975`

Weaknesses (CWE)

CWE-440

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

Low

References

https://github.com/Enalean/tuleap/security/advisories/GHSA-3rjf-87rf-h8m9

x_refsource_CONFIRM

https://github.com/Enalean/tuleap/commit/0070fef5c3b27fd402d3232041c6e03f79a84ffd

x_refsource_MISC

https://tuleap.net/plugins/tracker/?aid=41850

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-27401

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References