CVE-2025-64498
BaseFortify
Publication date: 2025-12-08
Last updated on: 2025-12-10
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tuleap | tuleap_enterprise_edition | * |
| tuleap | tuleap_community_edition | * |
| enalean | tuleap | to 16.12-10 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Tuleap (both Community and Enterprise Editions) allows attackers to trick victims into changing tracker general settings. Essentially, an attacker can manipulate a user to alter configuration settings of trackers within the software, potentially without proper authorization. This issue affects versions prior to the fixed releases mentioned.
How can this vulnerability impact me? :
The impact of this vulnerability is that an attacker could cause unauthorized changes to tracker general settings, which may lead to integrity issues or availability problems within the software development management environment. According to the CVSS score, the impact on confidentiality is none, but there is a low impact on integrity and availability.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade Tuleap Community Edition to version 17.0.99.1762444754 or later, or Tuleap Enterprise Edition to versions 17.0-2, 16.13-7, or 16.12-10 or later.