Missing Authorization in Tuleap Git Branch Source

#VU68571 Missing Authorization in Tuleap Git Branch Source

Published: 2022-10-21

Vulnerability identifier: #VU68571

Vulnerability risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-43421

CWE-ID: CWE-862

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Tuleap Git Branch Source
Web applications / Modules and components for CMS

Vendor: Jenkins

Description

The vulnerability allows a remote attacker to bypass authorization checks.

The vulnerability exists due to the /tuleap-hook/ endpoint can be accessed without authentication. A remote attacker can trigger Tuleap projects whose configured repository matches the attacker-specified value.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Tuleap Git Branch Source: 1.0.0 - 3.2.4

External links
http://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2852
http://www.openwall.com/lists/oss-security/2022/10/19/3

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Missing Authorization in Jenkins Tuleap Git Branch Source plugin