Yannis Rossetto

**Name of the Vulnerable Software and Affected Versions** Tuleap versions 12.9.99.228 through 14.0.99.23 **Description** The issue concerns improper verification of authorizations when updating the branch prefix used by the GitLab repository integration. Authenticated users can change the branch prefix of any GitLab repository integration they can see via the REST endpoint `PATCH /gitlab repositories/{id}`, an action that should be restricted to Git administrators. **Recommendations** For Tuleap versions 12.9.99.228 through 14.0.99.23, update to Tuleap Community Edition 14.0.99.24 or Tuleap Enterprise Edition 14.0-3 to resolve the issue. As a temporary workaround, consider restricting access to the `PATCH /gitlab repositories/{id}` endpoint to only allow Git administrators to make changes.

**Name of the Vulnerable Software and Affected Versions** Tuleap versions prior to 13.10.99.82 Tuleap Enterprise Edition versions prior to 13.10-3 **Description** Tuleap does not properly verify permissions when creating branches with the REST API in Git repositories using fine-grained permissions. Users can create branches via the REST endpoint `POST git/:id/branches` regardless of the permissions set on the repository. **Recommendations** For Tuleap versions prior to 13.10.99.82, upgrade to version 13.10.99.82 or later. For Tuleap Enterprise Edition versions prior to 13.10-3, upgrade to version 13.10-3 or later. As a temporary workaround, consider restricting access to the `POST git/:id/branches` endpoint until the issue is resolved.