First published: Mon May 29 2023(Updated: )
Tuleap is an open source tool for end to end traceability of application and system developments. Tuleap Community Edition prior to version 14.8.99.60 and Tuleap Enterprise edition prior to 14.8-3 and 14.7-7, the logs of the triggered Jenkins job URLs are not properly escaped. A malicious Git administrator can setup a malicious Jenkins hook to make a victim, also a Git administrator, execute uncontrolled code. Tuleap Community Edition 14.8.99.60, Tuleap Enterprise Edition 14.8-3, and Tuleap Enterprise Edition 14.7-7 contain a patch for this issue.
Credit: security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
Enalean Tuleap | <14.7-7 | |
Enalean Tuleap | <14.8.99.60 | |
Enalean Tuleap | >=14.8<14.8-3 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2023-32072 is a vulnerability in Tuleap Community Edition and Tuleap Enterprise Edition that allows a malicious Git administrator to execute arbitrary code.
CVE-2023-32072 has a severity rating of 4.8 out of 10.
CVE-2023-32072 affects Tuleap Community Edition versions up to 14.8.99.60 and Tuleap Enterprise Edition versions up to 14.8-3 and 14.7-7.
To fix CVE-2023-32072, update Tuleap Community Edition to version 14.8.99.60 or later, and Tuleap Enterprise Edition to version 14.8-3 or later.
The Common Weakness Enumeration (CWE) ID for CVE-2023-32072 is CWE-79, which corresponds to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting').