{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-39233", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "dateUpdated": "2025-04-22T17:18:31.777Z", "dateReserved": "2022-09-02T00:00:00.000Z", "datePublished": "2022-10-19T00:00:00.000Z"}, "containers": {"cna": {"title": "Tuleap subject to Missing Authorization allowing for branch prefix modification", "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2022-10-19T00:00:00.000Z"}, "descriptions": [{"lang": "en", "value": "Tuleap is a Free & Open Source Suite to improve management of software developments and collaboration. In versions 12.9.99.228 and above, prior to 14.0.99.24, authorizations are not properly verified when updating the branch prefix used by the GitLab repository integration. Authenticated users can change the branch prefix of any of the GitLab repository integration they can see vie the REST endpoint `PATCH /gitlab_repositories/{id}`. This action should be restricted to Git administrators. This issue is patched in Tuleap Community Edition 14.0.99.24 and Tuleap Enterprise Edition 14.0-3. There are no known workarounds."}], "affected": [{"vendor": "Enalean", "product": "tuleap", "versions": [{"version": ">= 12.9.99.228, < 14.0.99.24", "status": "affected"}]}], "references": [{"url": "https://github.com/Enalean/tuleap/security/advisories/GHSA-3884-972x-3ccq"}, {"url": "https://github.com/Enalean/tuleap/commit/a06cb42d55c840d61a484472ed6b169ab23853ac"}, {"url": "https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=a06cb42d55c840d61a484472ed6b169ab23853ac"}, {"url": "https://tuleap.net/plugins/tracker/?aid=28848"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-862: Missing Authorization", "cweId": "CWE-862"}]}], "source": {"advisory": "GHSA-3884-972x-3ccq", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T12:00:43.599Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/Enalean/tuleap/security/advisories/GHSA-3884-972x-3ccq", "tags": ["x_transferred"]}, {"url": "https://github.com/Enalean/tuleap/commit/a06cb42d55c840d61a484472ed6b169ab23853ac", "tags": ["x_transferred"]}, {"url": "https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=a06cb42d55c840d61a484472ed6b169ab23853ac", "tags": ["x_transferred"]}, {"url": "https://tuleap.net/plugins/tracker/?aid=28848", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-22T15:43:32.828237Z", "id": "CVE-2022-39233", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-22T17:18:31.777Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/Enalean/tuleap/security/advisories/GHSA-3884-972x-3ccq", "tags": ["x_transferred"]}, {"url": "https://github.com/Enalean/tuleap/commit/a06cb42d55c840d61a484472ed6b169ab23853ac", "tags": ["x_transferred"]}, {"url": "https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=a06cb42d55c840d61a484472ed6b169ab23853ac", "tags": ["x_transferred"]}, {"url": "https://tuleap.net/plugins/tracker/?aid=28848", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T12:00:43.599Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-39233", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-22T15:43:32.828237Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-22T15:43:34.853Z"}}], "cna": {"title": "Tuleap subject to Missing Authorization allowing for branch prefix modification", "source": {"advisory": "GHSA-3884-972x-3ccq", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "Enalean", "product": "tuleap", "versions": [{"status": "affected", "version": ">= 12.9.99.228, < 14.0.99.24"}]}], "references": [{"url": "https://github.com/Enalean/tuleap/security/advisories/GHSA-3884-972x-3ccq"}, {"url": "https://github.com/Enalean/tuleap/commit/a06cb42d55c840d61a484472ed6b169ab23853ac"}, {"url": "https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=a06cb42d55c840d61a484472ed6b169ab23853ac"}, {"url": "https://tuleap.net/plugins/tracker/?aid=28848"}], "descriptions": [{"lang": "en", "value": "Tuleap is a Free & Open Source Suite to improve management of software developments and collaboration. In versions 12.9.99.228 and above, prior to 14.0.99.24, authorizations are not properly verified when updating the branch prefix used by the GitLab repository integration. Authenticated users can change the branch prefix of any of the GitLab repository integration they can see vie the REST endpoint `PATCH /gitlab_repositories/{id}`. This action should be restricted to Git administrators. This issue is patched in Tuleap Community Edition 14.0.99.24 and Tuleap Enterprise Edition 14.0-3. There are no known workarounds."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862: Missing Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2022-10-19T00:00:00.000Z"}}}, "cveMetadata": {"cveId": "CVE-2022-39233", "state": "PUBLISHED", "dateUpdated": "2025-04-22T17:18:31.777Z", "dateReserved": "2022-09-02T00:00:00.000Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2022-10-19T00:00:00.000Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:enalean:tuleap:*:*:*:*:community:*:*:*", "matchCriteriaId": "6D8CF699-74B7-4FEE-804C-1729780FA0EE", "versionEndExcluding": "14.0.99.24", "versionStartIncluding": "12.9.99.228", "vulnerable": true}, {"criteria": "cpe:2.3:a:enalean:tuleap:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "38FC5DF7-5EF5-4EE8-9B23-539CC0F8E6C9", "versionEndExcluding": "13.12-6", "versionStartIncluding": "12.10", "vulnerable": true}, {"criteria": "cpe:2.3:a:enalean:tuleap:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "B2BBE4EC-1B9E-44C6-A191-A23182941E2B", "versionEndExcluding": "14.0-3", "versionStartIncluding": "14.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Tuleap is a Free & Open Source Suite to improve management of software developments and collaboration. In versions 12.9.99.228 and above, prior to 14.0.99.24, authorizations are not properly verified when updating the branch prefix used by the GitLab repository integration. Authenticated users can change the branch prefix of any of the GitLab repository integration they can see vie the REST endpoint `PATCH /gitlab_repositories/{id}`. This action should be restricted to Git administrators. This issue is patched in Tuleap Community Edition 14.0.99.24 and Tuleap Enterprise Edition 14.0-3. There are no known workarounds."}, {"lang": "es", "value": "Tuleap es una suite libre y de c\u00f3digo abierto para mejorar la administraci\u00f3n de los desarrollos de software y la colaboraci\u00f3n. En versiones 12.9.99.228 y superiores, anteriores a 14.0.99.24, las autorizaciones no son verificadas apropiadamente cuando es actualizado el prefijo de la rama usado por la integraci\u00f3n del repositorio GitLab. Los usuarios autenticados pueden cambiar el prefijo de rama de cualquiera de las integraciones de repositorios de GitLab que pueden visualizar mediante el endpoint REST \"PATCH /gitlab_repositories/{id}\". Esta acci\u00f3n deber\u00eda estar restringida a administradores de Git. Este problema est\u00e1 parcheado en Tuleap Community Edition versi\u00f3n 4.0.99.24 y Tuleap Enterprise Edition versi\u00f3n 14.0-3. No son conocidas mitigaciones"}], "id": "CVE-2022-39233", "lastModified": "2024-11-21T07:17:50.530", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-10-19T11:15:11.160", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/Enalean/tuleap/commit/a06cb42d55c840d61a484472ed6b169ab23853ac"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/Enalean/tuleap/security/advisories/GHSA-3884-972x-3ccq"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=a06cb42d55c840d61a484472ed6b169ab23853ac"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://tuleap.net/plugins/tracker/?aid=28848"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/Enalean/tuleap/commit/a06cb42d55c840d61a484472ed6b169ab23853ac"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/Enalean/tuleap/security/advisories/GHSA-3884-972x-3ccq"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=a06cb42d55c840d61a484472ed6b169ab23853ac"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Vendor Advisory"], "url": "https://tuleap.net/plugins/tracker/?aid=28848"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-862"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}