First published: Wed Dec 15 2021(Updated: )
Tuleap is a Libre and Open Source tool for end to end traceability of application and system developments. This is a follow up to GHSA-887w-pv2r-x8pm/CVE-2021-41276, the initial fix was incomplete. Tuleap does not sanitize properly the search filter built from the ldap_id attribute of a user during the daily synchronization. A malicious user could force accounts to be suspended or take over another account by forcing the update of the ldap_uid attribute. Note that the malicious user either need to have site administrator capability on the Tuleap instance or be an LDAP operator with the capability to create/modify account. The Tuleap instance needs to have the LDAP plugin activated and enabled for this issue to be exploitable. The following versions contain the fix: Tuleap Community Edition 13.2.99.83, Tuleap Enterprise Edition 13.1-6, and Tuleap Enterprise Edition 13.2-4.
Credit: security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
Enalean Tuleap | <13.2.99.83 | |
Enalean Tuleap | >=13.1-1<13.1-6 | |
Enalean Tuleap | >=13.2-1<13.2-4 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2021-43782 is a vulnerability in Tuleap, an open-source tool for traceability of application and system developments.
CVE-2021-43782 has a severity rating of 7.2 (High).
The affected software for CVE-2021-43782 includes Enalean Tuleap versions 13.2.99.83, 13.1-6, and 13.2-4 in the community and enterprise editions.
The CWEs associated with CVE-2021-43782 are CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component) and CWE-90 (Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')).
To fix CVE-2021-43782, it is recommended to update Tuleap to a version higher than the affected ones. Please refer to the official Tuleap documentation for specific patch or upgrade instructions.