CVE-2022-39233

Name of the Vulnerable Software and Affected Versions Tuleap versions 12.9.99.228 through 14.0.99.23

Description The issue concerns improper verification of authorizations when updating the branch prefix used by the GitLab repository integration. Authenticated users can change the branch prefix of any GitLab repository integration they can see via the REST endpoint PATCH /gitlab repositories/{id}, an action that should be restricted to Git administrators.

Recommendations For Tuleap versions 12.9.99.228 through 14.0.99.23, update to Tuleap Community Edition 14.0.99.24 or Tuleap Enterprise Edition 14.0-3 to resolve the issue. As a temporary workaround, consider restricting access to the PATCH /gitlab repositories/{id} endpoint to only allow Git administrators to make changes.