CVE-2021-41142 - OpenCVE

Tuleap Open ALM is a libre and open source tool for end to end traceability of application and system developments. There is a cross-site scripting vulnerability in Tuleap Community Edition prior to 12.11.99.25 and Tuleap Enterprise Edition 12.11-2. A malicious user with the capability to add and remove attachment to an artifact could force a victim to execute uncontrolled code. Tuleap Community Edition 11.17.99.146 and Tuleap Enterprise Edition 12.11-2 contain a fix for the issue.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:S/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Enalean	Tuleap

Configuration 1 [-]

OR	cpe:2.3:a:enalean:tuleap:::::community:::*
	cpe:2.3:a:enalean:tuleap:::::enterprise:::*

No data.

References

Link	Providers
https://github.com/Enalean/tuleap/commit/d6c837ed6fa66d319175954a42f93d4d86745208
https://github.com/Enalean/tuleap/security/advisories/GHSA-p3j6-6h9h-34r5
https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=d6c837ed6fa66d319175954a42f93d4d86745208
https://tuleap.net/plugins/tracker/?aid=22570

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2021-10-14T16:05:13

Updated: 2024-08-04T02:59:31.700Z

Reserved: 2021-09-15T00:00:00

Link: CVE-2021-41142

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-10-14T16:15:09.617

Modified: 2021-10-20T18:07:10.410

Link: CVE-2021-41142

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "tuleap", "vendor": "Enalean", "versions": [{"status": "affected", "version": "< 12.11.99.25"}, {"status": "affected", "version": ">= 12.11-1, < 12.11-2"}]}], "descriptions": [{"lang": "en", "value": "Tuleap Open ALM is a libre and open source tool for end to end traceability of application and system developments. There is a cross-site scripting vulnerability in Tuleap Community Edition prior to 12.11.99.25 and Tuleap Enterprise Edition 12.11-2. A malicious user with the capability to add and remove attachment to an artifact could force a victim to execute uncontrolled code. Tuleap Community Edition 11.17.99.146 and Tuleap Enterprise Edition 12.11-2 contain a fix for the issue."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-10-14T16:05:13", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Enalean/tuleap/security/advisories/GHSA-p3j6-6h9h-34r5"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/Enalean/tuleap/commit/d6c837ed6fa66d319175954a42f93d4d86745208"}, {"tags": ["x_refsource_MISC"], "url": "https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=d6c837ed6fa66d319175954a42f93d4d86745208"}, {"tags": ["x_refsource_MISC"], "url": "https://tuleap.net/plugins/tracker/?aid=22570"}], "source": {"advisory": "GHSA-p3j6-6h9h-34r5", "discovery": "UNKNOWN"}, "title": "XSS via the name of a deleted attachment", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-41142", "STATE": "PUBLIC", "TITLE": "XSS via the name of a deleted attachment"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "tuleap", "version": {"version_data": [{"version_value": "< 12.11.99.25"}, {"version_value": ">= 12.11-1, < 12.11-2"}]}}]}, "vendor_name": "Enalean"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Tuleap Open ALM is a libre and open source tool for end to end traceability of application and system developments. There is a cross-site scripting vulnerability in Tuleap Community Edition prior to 12.11.99.25 and Tuleap Enterprise Edition 12.11-2. A malicious user with the capability to add and remove attachment to an artifact could force a victim to execute uncontrolled code. Tuleap Community Edition 11.17.99.146 and Tuleap Enterprise Edition 12.11-2 contain a fix for the issue."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}]}, "references": {"reference_data": [{"name": "https://github.com/Enalean/tuleap/security/advisories/GHSA-p3j6-6h9h-34r5", "refsource": "CONFIRM", "url": "https://github.com/Enalean/tuleap/security/advisories/GHSA-p3j6-6h9h-34r5"}, {"name": "https://github.com/Enalean/tuleap/commit/d6c837ed6fa66d319175954a42f93d4d86745208", "refsource": "MISC", "url": "https://github.com/Enalean/tuleap/commit/d6c837ed6fa66d319175954a42f93d4d86745208"}, {"name": "https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=d6c837ed6fa66d319175954a42f93d4d86745208", "refsource": "MISC", "url": "https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=d6c837ed6fa66d319175954a42f93d4d86745208"}, {"name": "https://tuleap.net/plugins/tracker/?aid=22570", "refsource": "MISC", "url": "https://tuleap.net/plugins/tracker/?aid=22570"}]}, "source": {"advisory": "GHSA-p3j6-6h9h-34r5", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T02:59:31.700Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/Enalean/tuleap/security/advisories/GHSA-p3j6-6h9h-34r5"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/Enalean/tuleap/commit/d6c837ed6fa66d319175954a42f93d4d86745208"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=d6c837ed6fa66d319175954a42f93d4d86745208"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://tuleap.net/plugins/tracker/?aid=22570"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-41142", "datePublished": "2021-10-14T16:05:13", "dateReserved": "2021-09-15T00:00:00", "dateUpdated": "2024-08-04T02:59:31.700Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:enalean:tuleap:*:*:*:*:community:*:*:*", "matchCriteriaId": "E96D40EA-8C9F-4052-9F5E-84F8368AD64B", "versionEndExcluding": "11.17.99.146", "vulnerable": true}, {"criteria": "cpe:2.3:a:enalean:tuleap:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "A58EE8FC-2459-40EF-8991-360390118C6E", "versionEndExcluding": "12.11-2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Tuleap Open ALM is a libre and open source tool for end to end traceability of application and system developments. There is a cross-site scripting vulnerability in Tuleap Community Edition prior to 12.11.99.25 and Tuleap Enterprise Edition 12.11-2. A malicious user with the capability to add and remove attachment to an artifact could force a victim to execute uncontrolled code. Tuleap Community Edition 11.17.99.146 and Tuleap Enterprise Edition 12.11-2 contain a fix for the issue."}, {"lang": "es", "value": "Tuleap Open ALM es una herramienta libre y de c\u00f3digo abierto para la trazabilidad de extremo a extremo de los desarrollos de aplicaciones y sistemas. Se presenta una vulnerabilidad de tipo cross-site scripting en Tuleap Community Edition versiones anteriores a 12.11.99.25 y Tuleap Enterprise Edition versi\u00f3n 12.11-2. Un usuario malicioso con capacidad para a\u00f1adir y eliminar archivos adjuntos a un artefacto podr\u00eda forzar a la v\u00edctima a ejecutar c\u00f3digo no controlado. Tuleap Community Edition 11.17.99.146 y Tuleap Enterprise Edition 12.11-2 contienen una correcci\u00f3n del problema"}], "id": "CVE-2021-41142", "lastModified": "2021-10-20T18:07:10.410", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2021-10-14T16:15:09.617", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/Enalean/tuleap/commit/d6c837ed6fa66d319175954a42f93d4d86745208"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/Enalean/tuleap/security/advisories/GHSA-p3j6-6h9h-34r5"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=d6c837ed6fa66d319175954a42f93d4d86745208"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://tuleap.net/plugins/tracker/?aid=22570"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Secondary"}]}