CVE-2025-24029 – CVE-2025-24029 is an improper permissions vulne... (How to Fix)

Q: What is the severity of CVE-2025-24029?

CVE-2025-24029 has a CVSS score of 5.3 (MEDIUM). CVE-2025-24029 is an improper permissions vulnerability in Tuleap that allows users (including anonymous users in public project dashboards) to access artifacts they shouldn't have permission to view. This affects Tuleap Community and Enterprise Editions before specific patched versions. The vulnerability enables unauthorized information disclosure of sensitive project artifacts.

📋 TL;DR

CVE-2025-24029 is an improper permissions vulnerability in Tuleap that allows users (including anonymous users in public project dashboards) to access artifacts they shouldn't have permission to view. This affects Tuleap Community and Enterprise Editions before specific patched versions. The vulnerability enables unauthorized information disclosure of sensitive project artifacts.

💻 Affected Systems

Products:

Tuleap Community Edition
Tuleap Enterprise Edition

Versions: All versions before Tuleap Community Edition 16.3.99.1737562605, Tuleap Enterprise Edition 16.3-5, and Tuleap Enterprise Edition 16.2-7

Operating Systems: All platforms running Tuleap

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability affects widgets used in project dashboards, particularly dangerous when dashboards are publicly accessible.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Anonymous users could access confidential project artifacts containing sensitive intellectual property, financial data, or personally identifiable information from public project dashboards.

🟠

Likely Case

Unauthorized users gain access to project artifacts they shouldn't see, potentially exposing internal development plans, bug reports, or project management details.

🟢

If Mitigated

With proper access controls and network segmentation, impact is limited to authorized users accessing slightly broader artifact sets than intended.

🌐 Internet-Facing: HIGH - Public project dashboards allow anonymous exploitation without authentication.

🏢 Internal Only: MEDIUM - Authenticated users could still access artifacts beyond their permissions.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires accessing specific dashboard widgets; no authentication needed for public project dashboards.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Tuleap Community Edition 16.3.99.1737562605, Tuleap Enterprise Edition 16.3-5, or Tuleap Enterprise Edition 16.2-7

Vendor Advisory: https://github.com/Enalean/tuleap/security/advisories/GHSA-hq46-63pc-xfv9

Restart Required: Yes

Instructions:

1. Backup your Tuleap instance and database. 2. Update Tuleap using your distribution's package manager (apt/yum). 3. Run 'tuleap-cfg site-deploy' as root. 4. Restart Tuleap services: 'systemctl restart tuleap'.

🧯 If You Can't Patch

Disable public access to all project dashboards in Tuleap configuration.
Remove or restrict artifact-related widgets from all project dashboards.

🔍 How to Verify

Check if Vulnerable:

Check Tuleap version via web interface Admin > System Info or command line: 'cat /usr/share/tuleap/VERSION'

Check Version:

cat /usr/share/tuleap/VERSION

Verify Fix Applied:

Verify version is 16.3.99.1737562605 or higher for Community Edition, or 16.3-5/16.2-7 or higher for Enterprise Edition

📡 Detection & Monitoring

Log Indicators:

Unusual access patterns to artifact endpoints from unauthenticated IPs
Access denied errors followed by successful artifact access

Network Indicators:

HTTP requests to /plugins/tracker/ endpoints from unauthorized sources

SIEM Query:

source="tuleap" AND (uri_path="/plugins/tracker/*" AND (user="anonymous" OR user="-"))

📊 Metadata

CVE ID: CVE-2025-24029

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-280

EPSS Score: 0.16% exploit probability (36.6th percentile)

Published: February 3, 2025

Last Updated: August 22, 2025

🔗 References

https://github.com/Enalean/tuleap/security/advisories/GHSA-hq46-63pc-xfv9 Patch,Third Party Advisory
https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=269cbaa73bac6d1c50674c48c9987263f2b38804 Permissions Required
https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=a97480f951351c0f8f2f3f27f7daa3f7f9c37c75 Permissions Required
https://tuleap.net/plugins/tracker/?aid=41476 Issue Tracking,Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-24029, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Tuleap by Enalean

Tuleap by Enalean

Tuleap by Enalean

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities