Login Sign Up

CVE-2021-41148

8.8 HIGH
SQL Injection

📋 TL;DR

This SQL injection vulnerability in Tuleap Open ALM allows attackers with dashboard editing permissions to execute arbitrary SQL queries. It affects Tuleap Community Edition before version 11.16.99.173 and Enterprise Edition before versions 11.16-6 and 11.15-8. The vulnerability stems from insufficient input validation in the CI widget functionality.

💻 Affected Systems

Products:
  • Tuleap Open ALM Community Edition
  • Tuleap Open ALM Enterprise Edition
Versions: Community Edition < 11.16.99.173, Enterprise Edition < 11.16-6 and < 11.15-8
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires attacker to have permission to add CI widget to personal dashboard

📦 What is this software?

Tuleap by Enalean

View all CVEs affecting Tuleap →

Tuleap by Enalean

View all CVEs affecting Tuleap →

Tuleap by Enalean

View all CVEs affecting Tuleap →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data manipulation, privilege escalation, or remote code execution via database functions.

🟠

Likely Case

Unauthorized data access, extraction of sensitive information, and potential privilege escalation within the application.

🟢

If Mitigated

Limited impact with proper input validation and database permission restrictions, potentially only affecting non-sensitive data.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated user with dashboard editing permissions

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Community Edition 11.16.99.173, Enterprise Edition 11.16-6, Enterprise Edition 11.15-8

Vendor Advisory: https://github.com/Enalean/tuleap/security/advisories/GHSA-3c4q-8c35-cp63

Restart Required: Yes

Instructions:

1. Backup your Tuleap instance and database. 2. Update to patched version using your distribution's package manager. 3. Restart Tuleap services. 4. Verify the update was successful.

🔧 Temporary Workarounds

Restrict Dashboard Permissions

all

Temporarily restrict ability to add CI widgets to trusted administrators only

Database Query Monitoring

all

Enable detailed database query logging to detect SQL injection attempts

🧯 If You Can't Patch

  • Implement strict input validation for all CI widget parameters
  • Apply database-level restrictions to limit query execution capabilities

🔍 How to Verify

Check if Vulnerable:

Check Tuleap version via web interface or command line

Check Version:

tuleap info | grep 'Tuleap version'

Verify Fix Applied:

Verify version is equal to or greater than patched versions

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL queries in database logs
  • Multiple failed login attempts followed by dashboard modifications

Network Indicators:

  • Unusual database connection patterns from Tuleap application server

SIEM Query:

source="tuleap_logs" AND ("SQL" OR "database error" OR "syntax error")

📊 Metadata

CVE ID: CVE-2021-41148
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: October 15, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-41148, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)