CVE-2021-43782

Name of the Vulnerable Software and Affected Versions Tuleap versions prior to 13.2.99.83 Tuleap Enterprise Edition versions prior to 13.1-6 Tuleap Enterprise Edition versions prior to 13.2-4

Description The issue exists due to improper sanitization of the search filter built from the ldap id attribute of a user during daily synchronization. A malicious user could force accounts to be suspended or take over another account by forcing the update of the ldap uid attribute. This can be done by a user with site administrator capability on the Tuleap instance or an LDAP operator with the capability to create/modify accounts, provided the Tuleap instance has the LDAP plugin activated and enabled.

Recommendations For versions prior to 13.2.99.83, update to Tuleap Community Edition 13.2.99.83 or later. For Tuleap Enterprise Edition versions prior to 13.1-6, update to Tuleap Enterprise Edition 13.1-6 or later. For Tuleap Enterprise Edition versions prior to 13.2-4, update to Tuleap Enterprise Edition 13.2-4 or later. As a temporary workaround, consider restricting access to the LDAP plugin or disabling it until a patch is applied. Additionally, limiting site administrator capabilities and LDAP operator privileges can help minimize the risk of exploitation.