CVE-2024-39902 — MEDIUM (4.8)

Q: How severe is CVE-2024-39902?

CVE-2024-39902 has been rated MEDIUM with a CVSS base score of 4.8/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2024-39902?

Check the references section above for vendor advisories and patch information. Affected products include: Enalean Tuleap.

Vulnerability Description

Tuleap is an open source suite to improve management of software developments and collaboration. Prior to Tuleap Community Edition 15.10.99.128 and Tuleap Enterprise Edition 15.10-6 and 15.9-8, the checkbox "Apply same permissions to all sub-items of this folder" in the document manager permissions modal is not taken into account and always considered as unchecked. In situations where the permissions are being restricted some users might still keep, incorrectly, the possibility to edit or manage items. Only change made via the web UI are affected, changes directly made via the REST API are not impacted. This vulnerability is fixed in Tuleap Community Edition 15.10.99.128 and Tuleap Enterprise Edition 15.10-6 and 15.9-8.

CVSS Score

4.8

MEDIUM

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

LOW

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Enalean	Tuleap	< 15.9-8

Related Weaknesses (CWE)

CWE-281

References

https://github.com/Enalean/tuleap/commit/580161e8a065fba30ca5ca1f6f1bdb4f4b1424bPatch
https://github.com/Enalean/tuleap/security/advisories/GHSA-5jq5-vxmq-xrj7Vendor Advisory
https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=580161e8a065fba30Broken Link
https://tuleap.net/plugins/tracker/?aid=38675Vendor Advisory
https://github.com/Enalean/tuleap/commit/580161e8a065fba30ca5ca1f6f1bdb4f4b1424bPatch
https://github.com/Enalean/tuleap/security/advisories/GHSA-5jq5-vxmq-xrj7Vendor Advisory
https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=580161e8a065fba30Broken Link
https://tuleap.net/plugins/tracker/?aid=38675Vendor Advisory

FAQ

What is CVE-2024-39902?

CVE-2024-39902 is a vulnerability with a CVSS score of 4.8 (MEDIUM). Tuleap is an open source suite to improve management of software developments and collaboration. Prior to Tuleap Community Edition 15.10.99.128 and Tuleap Enterprise Edition 15.10-6 and 15.9-8, the ch...

How severe is CVE-2024-39902?

CVE-2024-39902 has been rated MEDIUM with a CVSS base score of 4.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2024-39902?

Check the references section above for vendor advisories and patch information. Affected products include: Enalean Tuleap.