CVE-2021-41155: SQL injection in CVS revisions browser
First published: Mon Oct 18 2021(Updated: )
Tuleap is a Free & Open Source Suite to improve management of software developments and collaboration. In affected versions Tuleap does not sanitize properly user inputs when constructing the SQL query to browse and search revisions in the CVS repositories. The following versions contain the fix: Tuleap Community Edition 11.17.99.146, Tuleap Enterprise Edition 11.17-5, Tuleap Enterprise Edition 11.16-7.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Enalean Tuleap | <11.17.99.146 | |
| Enalean Tuleap | >=11.16-1<11.16-7 | |
| Enalean Tuleap | >=11.17-1<11.17-5 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/Enalean/tuleap/commit/ff75f2899c60a4546ee2d532e68a3febd07bdd14
- https://github.com/Enalean/tuleap/security/advisories/GHSA-f8jp-hx4q-wxvr
- https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=ff75f2899c60a4546ee2d532e68a3febd07bdd14
- https://tuleap.net/plugins/tracker/?aid=16214
Frequently Asked Questions
What is CVE-2021-41155?
CVE-2021-41155 is a vulnerability in Tuleap, an open-source suite for software development and collaboration, where user inputs are not properly sanitized when constructing SQL queries, potentially allowing for SQL injection attacks.
How severe is CVE-2021-41155?
CVE-2021-41155 has a severity rating of 8.8, which is considered high.
How does CVE-2021-41155 affect Tuleap?
CVE-2021-41155 affects Tuleap versions up to 11.17.99.146 (community edition) and certain versions in the range 11.16-1 to 11.16-7 and 11.17-1 to 11.17-5 (enterprise edition).
How can I fix CVE-2021-41155?
To fix CVE-2021-41155, upgrade to Tuleap version 11.17.99.146 (community edition) or versions outside the affected range (enterprise edition).
What is the Common Weakness Enumeration (CWE) ID for CVE-2021-41155?
The CWE ID for CVE-2021-41155 is CWE-89, which refers to Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection').
- collector/nvd-index
- agent/references
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/remedy
- agent/severity
- agent/author
- agent/title
- agent/weakness
- agent/last-modified-date
- agent/tags
- agent/first-publish-date
- agent/description
- agent/event
- vendor/enalean
- canonical/enalean tuleap
- version/enalean tuleap/11.16-1
- version/enalean tuleap/11.17-1