CVE-2025-64482
BaseFortify
Publication date: 2025-11-12
Last updated on: 2025-11-12
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tuleap | tuleap_enterprise_edition | 17.0-1 |
| tuleap | tuleap_enterprise_edition | 16.13-6 |
| tuleap | tuleap_community_edition | 16.13.99.1762267347 |
| tuleap | tuleap_enterprise_edition | 16.12-9 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a lack of cross-site request forgery (CSRF) protections in the file release system of Tuleap software versions prior to certain fixed releases. An attacker could exploit this by tricking a victim into performing unauthorized actions, such as changing commit rules or immutable tags in a SVN repository managed by Tuleap.
How can this vulnerability impact me? :
The vulnerability could allow an attacker to manipulate SVN repository settings without authorization, potentially altering commit rules or immutable tags. This could lead to unauthorized changes in the software development process, impacting the integrity and reliability of the codebase.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Tuleap Community Edition to version 16.13.99.1762267347 or later, or Tuleap Enterprise Edition to versions 17.0-1, 16.13-6, or 16.12-9 or later, as these versions include fixes for the cross-site request forgery vulnerability in the file release system.