CVE-2025-30155
📋 TL;DR
Tuleap's REST API fails to enforce read permissions on parent trackers, allowing authenticated users to access tracker data they shouldn't have permission to view. This affects all Tuleap installations running vulnerable versions. The vulnerability enables information disclosure of potentially sensitive project management data.
💻 Affected Systems
- Tuleap Community Edition
- Tuleap Enterprise Edition
📦 What is this software?
Tuleap by Enalean
Tuleap by Enalean
Tuleap by Enalean
⚠️ Risk & Real-World Impact
Worst Case
An authenticated attacker could access confidential project planning data, milestone information, or sensitive business intelligence from parent trackers across multiple projects, potentially leading to intellectual property theft or competitive advantage loss.
Likely Case
Authenticated users with limited permissions can view tracker information from parent trackers they shouldn't have access to, leading to unauthorized information disclosure about project status, timelines, or resource allocation.
If Mitigated
With proper network segmentation and strict authentication controls, the impact is limited to authenticated users within the same security domain accessing non-critical project management data.
🎯 Exploit Status
Exploitation requires authenticated access to Tuleap and knowledge of REST API endpoints. The vulnerability is straightforward to exploit once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Tuleap Community Edition 16.5.99.1742392651, Tuleap Enterprise Edition 16.5-5, or Tuleap Enterprise Edition 16.4-8
Vendor Advisory: https://github.com/Enalean/tuleap/security/advisories/GHSA-6hr4-h6px-7ppg
Restart Required: Yes
Instructions:
1. Backup your Tuleap installation and database. 2. Update to the patched version using your package manager (apt/yum). 3. Restart Tuleap services. 4. Verify the update was successful by checking the version.
🔧 Temporary Workarounds
Restrict REST API Access
linuxLimit access to Tuleap REST API endpoints using network controls or web application firewalls
# Configure firewall rules to restrict API access
# Example: iptables -A INPUT -p tcp --dport 443 -s trusted_networks -j ACCEPT
# Example: iptables -A INPUT -p tcp --dport 443 -j DROP
🧯 If You Can't Patch
- Implement strict access controls and monitor for unusual REST API access patterns
- Review and minimize user permissions, ensuring users only have access to necessary trackers
🔍 How to Verify
Check if Vulnerable:
Check your Tuleap version against affected versions. Test authenticated API access to parent tracker endpoints you shouldn't have permissions for.Check Version:
tuleap info | grep 'Tuleap version' or check the Tuleap web interface admin sectionVerify Fix Applied:
After patching, verify the version is updated and test that unauthorized parent tracker access via REST API now returns proper permission errors.📡 Detection & Monitoring
Log Indicators:
- Unusual REST API access patterns to tracker endpoints
- Multiple failed permission checks followed by successful data retrieval
- Access to tracker IDs outside user's normal project scope
Network Indicators:
- Increased REST API traffic to tracker endpoints
- Patterns of sequential tracker ID access attempts
SIEM Query:
source="tuleap" AND (uri_path="/api/*tracker*" OR uri_path="/api/v*/*tracker*") AND response_code=200 AND user NOT IN authorized_users🔗 References
- https://github.com/Enalean/tuleap/commit/0921df3a1c1aa20fc359b373f001a77c43b1b726
- https://github.com/Enalean/tuleap/security/advisories/GHSA-6hr4-h6px-7ppg
- https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=0921df3a1c1aa20fc359b373f001a77c43b1b726
- https://tuleap.net/plugins/tracker/?aid=42237
