PT-2021-23947 · Unknown+2 · Tuleap Community Edition+3
Tgerbet
+1
·
Published
2021-12-15
·
Updated
2021-12-21
·
CVE-2021-43806
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions:
Tuleap versions prior to 13.2.99.155
Tuleap Enterprise Edition versions prior to 13.1-7
Tuleap Enterprise Edition versions prior to 13.2-6
Description:
The issue arises from improper sanitization of user settings when constructing SQL queries to browse and search commits in CVS repositories. This allows an authenticated malicious user with read access to a CVS repository to execute arbitrary SQL queries. Tuleap instances without an active CVS repository are not affected.
Recommendations:
For Tuleap Community Edition versions prior to 13.2.99.155, update to version 13.2.99.155 or later.
For Tuleap Enterprise Edition versions prior to 13.1-7, update to version 13.1-7 or later.
For Tuleap Enterprise Edition versions prior to 13.2-6, update to version 13.2-6 or later.
Fix
SQL injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Cvs
Tuleap
Tuleap Community Edition
Tuleap Enterprise Edition