CVE-2021-41147

moderate-risk
Published 2021-10-15

Tuleap Open ALM is a libre and open source tool for end to end traceability of application and system developments. Prior to version 11.16.99.173 of Community Edition and versions 11.16-6 and 11.15-8 of Enterprise Edition, an attacker with admin rights in one agile dashboard service can execute arbitrary SQL queries. Tuleap Community Edition 11.16.99.173, Tuleap Enterprise Edition 11.16-6, and Tuleap Enterprise Edition 11.15-8 contain a patch for this issue.

Do I need to act?

~
1.1% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.2/10 High
NETWORK / LOW complexity

Affected Products (2)

Affected Vendors

Enalean

References (8)

Patch https://github.com/Enalean/tuleap/commit/d6b2f8b8c5098938bc094726a4826479ddbee94...
Patch https://github.com/Enalean/tuleap/security/advisories/GHSA-j2mq-65wv-prmp
Patch https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=d6b2f8b8c5098938b...
Exploit https://tuleap.net/plugins/tracker/?aid=15131
Patch https://github.com/Enalean/tuleap/commit/d6b2f8b8c5098938bc094726a4826479ddbee94...
Patch https://github.com/Enalean/tuleap/security/advisories/GHSA-j2mq-65wv-prmp
Patch https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=d6b2f8b8c5098938b...
Exploit https://tuleap.net/plugins/tracker/?aid=15131
36
/ 100
moderate-risk
Severity 26/34 · High
Exploitability 3/34 · Minimal
Exposure 7/34 · Low