Headline
CVE-2022-31128
Tuleap is a Free & Open Source Suite to improve management of software developments and collaboration. In affected versions Tuleap does not properly verify permissions when creating branches with the REST API in Git repositories using the fine grained permissions. Users can create branches via the REST endpoint POST git/:id/branches regardless of the permissions set on the repository. This issue has been fixed in version 13.10.99.82 Tuleap Community Edition as well as in version 13.10-3 of Tuleap Enterprise Edition. Users are advised to upgrade. There are no known workarounds for this issue.
Package
Tuleap Community Edition (tuleap)
Affected versions
>= 13.9.99.110 && < 13.10.99.82
Patched versions
13.10.99.82
Tuleap Enterprise Edition (tuleap)
>= 13.10 && < 13.10-3
13.10-3
Description
Tuleap does not properly verify permissions when creating branches with the REST API in Git repositories using the fine grained permissions.
Impact
Users can create branches via the REST endpoint POST git/:id/branches regardless of the permissions set on the repository.
Patches
The following versions contain the fix:
- Tuleap Community Edition 13.10.99.82
- Tuleap Enterprise Edition 13.10-3
For more information
If you have any questions or comments about this advisory, reach out to us via the contact information provided on the Tuleap.org security page.
References
- request #27538 Fine grained permissions are not checked when creating a branch with REST API
- 58ecb1d
- https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=58ecb1dee1c46075d3e089980301ebfbe0bafd33