CVE-2025-59040
BaseFortify
Publication date: 2025-09-18
Last updated on: 2025-09-19
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| enalean | tuleap | 16.11.99.1757427600 |
| enalean | tuleap | 16.10-8 |
| enalean | tuleap | * |
| enalean | tuleap | 16.11-6 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-280 | The product does not handle or incorrectly handles when it has insufficient privileges to access resources or functionality as specified by their permissions. This may cause it to follow unexpected code paths that may leave the product in an invalid state. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Tuleap involves backlog item representations not verifying the permissions of child trackers properly. As a result, users might be able to see the names of trackers they should not have access to, potentially exposing sensitive project information.
How can this vulnerability impact me? :
The impact of this vulnerability is that unauthorized users may gain visibility into tracker names they are not permitted to see. This could lead to information disclosure, potentially revealing sensitive or confidential project details.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability is fixed in Tuleap Community Edition 16.11.99.1757427600 and Tuleap Enterprise Edition 16.11-6 and 16.10-8. Immediate steps to mitigate this vulnerability include upgrading your Tuleap installation to one of these fixed versions.