CVE-2024-39902
📋 TL;DR
This vulnerability in Tuleap's document manager allows users to retain edit or manage permissions on sub-items when permissions are being restricted via the web UI. The checkbox 'Apply same permissions to all sub-items of this folder' is ignored, always treated as unchecked. This affects Tuleap Community and Enterprise Edition users who manage document permissions through the web interface.
💻 Affected Systems
- Tuleap Community Edition
- Tuleap Enterprise Edition
📦 What is this software?
Tuleap by Enalean
Tuleap by Enalean
Tuleap by Enalean
⚠️ Risk & Real-World Impact
Worst Case
Unauthorized users maintain edit/manage access to sensitive documents after permission changes, potentially leading to data modification, deletion, or unauthorized access to confidential project materials.
Likely Case
Users who should have lost access to specific document subfolders retain unintended permissions, creating inconsistent access controls within project documentation.
If Mitigated
With proper monitoring and regular permission audits, the impact is limited to temporary permission inconsistencies that can be detected and corrected.
🎯 Exploit Status
Exploitation requires authenticated access and knowledge of permission management interface. The vulnerability is inherent to the UI behavior rather than a traditional exploit.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Tuleap Community Edition 15.10.99.128, Tuleap Enterprise Edition 15.10-6 or 15.9-8
Vendor Advisory: https://github.com/Enalean/tuleap/security/advisories/GHSA-5jq5-vxmq-xrj7
Restart Required: Yes
Instructions:
1. Backup your Tuleap instance and database. 2. Update to patched version using your distribution's package manager or Tuleap upgrade process. 3. Restart Tuleap services. 4. Verify the fix by testing permission changes in document manager.
🔧 Temporary Workarounds
Use REST API for permission changes
allMake all document permission changes via REST API instead of web UI, as API changes are not affected by this vulnerability.
Use Tuleap REST API endpoints for document permissions management
Manual sub-item permission verification
allAfter changing folder permissions via web UI, manually verify and adjust permissions for all sub-items individually.
🧯 If You Can't Patch
- Implement strict access monitoring and regular permission audits for document repositories
- Train administrators to use REST API exclusively for permission management until patching is possible
🔍 How to Verify
Check if Vulnerable:
Test permission changes in document manager: 1. Create a folder with sub-items. 2. Change folder permissions with 'Apply same permissions to all sub-items' checked. 3. Verify if sub-items actually received the permission changes.Check Version:
tuleap info | grep 'Tuleap version' or check Tuleap web interface administration panelVerify Fix Applied:
After patching, repeat the vulnerable test case. The checkbox should now properly apply permissions to all sub-items when checked.📡 Detection & Monitoring
Log Indicators:
- Unusual permission change patterns in document manager logs
- Multiple permission adjustment attempts on the same document hierarchy
Network Indicators:
- Increased API calls to document permission endpoints if workaround implemented
SIEM Query:
source="tuleap" AND (event="document_permission_change" AND subitem_permissions_mismatch=true)🔗 References
- https://github.com/Enalean/tuleap/commit/580161e8a065fba30ca5ca1f6f1bdb4f4b1424bb
- https://github.com/Enalean/tuleap/security/advisories/GHSA-5jq5-vxmq-xrj7
- https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=580161e8a065fba30ca5ca1f6f1bdb4f4b1424bb
- https://tuleap.net/plugins/tracker/?aid=38675
- https://github.com/Enalean/tuleap/commit/580161e8a065fba30ca5ca1f6f1bdb4f4b1424bb
- https://github.com/Enalean/tuleap/security/advisories/GHSA-5jq5-vxmq-xrj7
- https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=580161e8a065fba30ca5ca1f6f1bdb4f4b1424bb
- https://tuleap.net/plugins/tracker/?aid=38675
