CVE-2024-47767
📋 TL;DR
This vulnerability in Tuleap allows users to see tracker names they should not have access to due to improper handling of permissions. It affects all Tuleap Community and Enterprise Edition users running vulnerable versions. The issue is an information disclosure vulnerability that could expose sensitive project or organizational data.
💻 Affected Systems
- Tuleap Community Edition
- Tuleap Enterprise Edition
📦 What is this software?
Tuleap by Enalean
Tuleap by Enalean
Tuleap by Enalean
⚠️ Risk & Real-World Impact
Worst Case
Attackers could map organizational structure, identify sensitive projects, and use this information for social engineering or targeted attacks against specific teams or individuals.
Likely Case
Users accidentally or intentionally viewing tracker names for projects they shouldn't have access to, potentially revealing project existence, team structures, or development activities.
If Mitigated
Limited exposure of tracker names only, without access to actual tracker content, data, or project details.
🎯 Exploit Status
Exploitation requires authenticated user access. The vulnerability is in the UI/permission logic rather than a direct API or network-level issue.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Tuleap Community Edition 15.13.99.113, Tuleap Enterprise Edition 15.13-5, Tuleap Enterprise Edition 15.12-8
Vendor Advisory: https://github.com/Enalean/tuleap/security/advisories/GHSA-j342-v27q-329v
Restart Required: Yes
Instructions:
1. Backup your Tuleap installation and database. 2. Update to the patched version using your distribution's package manager or Tuleap upgrade process. 3. Restart Tuleap services. 4. Verify the update was successful.
🔧 Temporary Workarounds
Restrict user access
allTemporarily limit user permissions and access to minimize exposure while planning upgrade.
🧯 If You Can't Patch
- Implement strict access controls and audit user permissions regularly
- Monitor for unusual access patterns to tracker listings and implement additional logging
🔍 How to Verify
Check if Vulnerable:
Check Tuleap version via web interface admin panel or run: tuleap versionCheck Version:
tuleap versionVerify Fix Applied:
Verify version is patched and test that users cannot see tracker names for projects they lack permissions to access.📡 Detection & Monitoring
Log Indicators:
- Unusual access patterns to tracker listings
- Users accessing tracker names outside their normal project scope
Network Indicators:
- Increased requests to tracker listing endpoints from unauthorized users
SIEM Query:
source="tuleap" AND (event="tracker_access" OR event="permission_check") AND result="success" WHERE user NOT IN authorized_users🔗 References
- https://github.com/Enalean/tuleap/commit/16d9efccb2fad8e10343be2604e94c9058ef2c89
- https://github.com/Enalean/tuleap/commit/e5ce81279766115dc0f126a11d6b5065b5db7eec
- https://github.com/Enalean/tuleap/commit/f89d7093d2c576ad5e2b35a6a096fcdaf563d1df
- https://github.com/Enalean/tuleap/security/advisories/GHSA-j342-v27q-329v
- https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=16d9efccb2fad8e10343be2604e94c9058ef2c89
- https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=e5ce81279766115dc0f126a11d6b5065b5db7eec
- https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=f89d7093d2c576ad5e2b35a6a096fcdaf563d1df
- https://tuleap.net/plugins/tracker/?aid=39728
