CVE-2021-41276

Name of the Vulnerable Software and Affected Versions Tuleap versions prior to 13.2.99.31 (Community Edition) Tuleap versions prior to 13.1-5 (Enterprise Edition) Tuleap versions prior to 13.2-3 (Enterprise Edition)

Description The issue arises from improper sanitization of the search filter built from the ldap id attribute of a user during daily synchronization. A malicious user with site administrator capability on the Tuleap instance or an LDAP operator with account creation/modification capability could exploit this to suspend accounts or take over another account by forcing the update of the ldap uid attribute. This requires the Tuleap instance to have the LDAP plugin activated and enabled.

Recommendations For versions prior to 13.2.99.31 (Community Edition), update to Tuleap Community Edition 13.2.99.31 or later. For versions prior to 13.1-5 (Enterprise Edition), update to Tuleap Enterprise Edition 13.1-5 or later. For versions prior to 13.2-3 (Enterprise Edition), update to Tuleap Enterprise Edition 13.2-3 or later. As a temporary workaround, consider restricting access to the LDAP plugin or disabling it until a patch is applied. Additionally, limiting site administrator and LDAP operator capabilities can help minimize the risk of exploitation.