Mass update clears the permissions on artifact field

Moderate

LeSuisse published GHSA-mq7f-m6mj-hjj5

Feb 22, 2024

Package

Tuleap Community Edition (tuleap)

Affected versions

< 15.5.99.76

Patched versions

15.5.99.76

Tuleap Enterprise Edition (tuleap)

< 15.5-4

< 15.4-7

15.5-4

15.4-7

Description

Impact

Users with a read access to a tracker where the mass update feature is used might get access to restricted information.

Patches

The following versions contain the fix:

Tuleap Community Edition 15.5.99.76
Tuleap Enterprise Edition 15.5-4
Tuleap Enterprise Edition 15.4-7

For more information

If you have any questions or comments about this advisory, reach out to us via the contact information provided on the Tuleap.org security page.

References

Severity

Moderate

5.4

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

High

Privileges required

Low

User interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

Low

Availability

None

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N