VYPR
Unrated severityNVD Advisory· Published Dec 15, 2021· Updated Aug 4, 2024

Indirect LDAP injection in Tuleap

CVE-2021-43782

Description

Tuleap is a Libre and Open Source tool for end to end traceability of application and system developments. This is a follow up to GHSA-887w-pv2r-x8pm/CVE-2021-41276, the initial fix was incomplete. Tuleap does not sanitize properly the search filter built from the ldap_id attribute of a user during the daily synchronization. A malicious user could force accounts to be suspended or take over another account by forcing the update of the ldap_uid attribute. Note that the malicious user either need to have site administrator capability on the Tuleap instance or be an LDAP operator with the capability to create/modify account. The Tuleap instance needs to have the LDAP plugin activated and enabled for this issue to be exploitable. The following versions contain the fix: Tuleap Community Edition 13.2.99.83, Tuleap Enterprise Edition 13.1-6, and Tuleap Enterprise Edition 13.2-4.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Enalean/Tuleapllm-fuzzy2 versions
    <=13.2.99.82, <=13.1-5, <=13.2-3+ 1 more
    • (no CPE)range: <=13.2.99.82, <=13.1-5, <=13.2-3
    • (no CPE)range: < 13.2.99.83

Patches

Vulnerability mechanics

References

5

News mentions

0

No linked articles in our index yet.