Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2024-39902

Tuleap is an open source suite to improve management of software developments and collaboration. Prior to Tuleap Community Edition 15.10.99.128 and Tuleap Enterprise Edition 15.10-6 and 15.9-8, the checkbox "Apply same permissions to all sub-items of this folder" in the document manager permissions modal is not taken into account and always considered as unchecked. In situations where the permissions are being restricted some users might still keep, incorrectly, the possibility to edit or manage items. Only change made via the web UI are affected, changes directly made via the REST API are not impacted. This vulnerability is fixed in Tuleap Community Edition 15.10.99.128 and Tuleap Enterprise Edition 15.10-6 and 15.9-8.

Security Impact Summary

This vulnerability carries a MEDIUM severity rating with a CVSS v3.1 score of 4.8, indicating it can be exploited remotely over the network but requires specific conditions to be met though user interaction is required . The vulnerability impacts limited data confidentiality, integrity (unauthorized modifications), for affected systems. Impacting 1 product from enalean organizations running these solutions should prioritize assessment and patching.

Historical Context

Reported in 2024, this vulnerability emerged during an era marked by increased sophistication in supply chain attacks, cloud infrastructure vulnerabilities, and software-as-a-service (SaaS) security challenges. Security practices during this period emphasized zero-trust architectures, container security, and API protection.

Published

2024-07-22T14:15:06.383

Last Modified

2025-04-10T17:45:08.717

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 4.8 (MEDIUM)

Weaknesses

Type: Secondary
CWE-281
Type: Primary
CWE-281

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	enalean	tuleap	< 15.9-8	Yes
Application	enalean	tuleap	< 15.10.99.128	Yes
Application	enalean	tuleap	< 15.10-6	Yes

References

https://github.com/Enalean/tuleap/commit/580161e8a065fba30ca5ca1f6f1bdb4f4b1424bb Patch ([email protected])
https://github.com/Enalean/tuleap/security/advisories/GHSA-5jq5-vxmq-xrj7 Vendor Advisory ([email protected])
https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=580161e8a065fba30ca5ca1f6f1bdb4f4b1424bb Broken Link ([email protected])
https://tuleap.net/plugins/tracker/?aid=38675 Vendor Advisory ([email protected])
https://github.com/Enalean/tuleap/commit/580161e8a065fba30ca5ca1f6f1bdb4f4b1424bb Patch (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/Enalean/tuleap/security/advisories/GHSA-5jq5-vxmq-xrj7 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=580161e8a065fba30ca5ca1f6f1bdb4f4b1424bb Broken Link (af854a3a-2127-422b-91ae-364da2661108)
https://tuleap.net/plugins/tracker/?aid=38675 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)

How SecUtils Interprets This CVE

SecUtils normalizes and enriches National Vulnerability Database (NVD) records by standardizing vendor and product identifiers, aggregating vulnerability metadata from both NVD and MITRE sources, and providing structured context for security teams. For enalean's affected products, we extract Common Platform Enumeration (CPE) data, Common Weakness Enumeration (CWE) classifications, CVSS severity metrics, and reference data to enable rapid vulnerability prioritization and asset correlation. This record contains no exploit code, proof-of-concept instructions, or attack methodologies—only defensive intelligence necessary for patch management, risk assessment, and security operations.