Login Sign Up

CVE-2022-31058

7.2 HIGH
SQL Injection

📋 TL;DR

CVE-2022-31058 is a SQL injection vulnerability in Tuleap's tracker report functionality. Attackers with permission to create new trackers can execute arbitrary SQL queries, potentially leading to data theft, modification, or system compromise. All Tuleap instances running versions before 13.9.99.95 are affected.

💻 Affected Systems

Products:
  • Tuleap
Versions: All versions prior to 13.9.99.95
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires attacker to have permission to create new trackers, which is typically granted to project administrators and some user roles.

📦 What is this software?

Tuleap by Enalean

View all CVEs affecting Tuleap →

Tuleap by Enalean

View all CVEs affecting Tuleap →

Tuleap by Enalean

View all CVEs affecting Tuleap →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including sensitive data exfiltration, privilege escalation, and potential remote code execution through database functions.

🟠

Likely Case

Unauthorized data access and manipulation within the Tuleap database, potentially exposing project data, user credentials, and configuration information.

🟢

If Mitigated

Limited impact if proper input validation and parameterized queries are implemented, restricting attacker to authorized data scope.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated access with tracker creation permissions. SQL injection is a well-understood attack vector with many available tools.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 13.9.99.95 and later

Vendor Advisory: https://github.com/Enalean/tuleap/security/advisories/GHSA-4v2p-rwq9-3vjf

Restart Required: Yes

Instructions:

1. Backup your Tuleap instance and database. 2. Update Tuleap to version 13.9.99.95 or later using your package manager. 3. Restart Tuleap services. 4. Verify the update was successful.

🧯 If You Can't Patch

  • Restrict tracker creation permissions to only essential administrators.
  • Implement network segmentation to isolate Tuleap instances from critical systems.

🔍 How to Verify

Check if Vulnerable:

Check Tuleap version via web interface admin panel or run: cat /etc/tuleap/conf/VERSION

Check Version:

cat /etc/tuleap/conf/VERSION

Verify Fix Applied:

Verify version is 13.9.99.95 or higher and test tracker report functionality with SQL injection test payloads.

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL queries in database logs
  • Multiple tracker creation attempts
  • SQL error messages in application logs

Network Indicators:

  • Unusual database connection patterns from Tuleap application server

SIEM Query:

source="tuleap.logs" AND ("SQL" OR "database error" OR "tracker creation")

📊 Metadata

CVE ID: CVE-2022-31058
CVSS v3 Score: 7.2 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: June 29, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-31058, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)