CVE-2025-27150

low-risk

Published 2025-03-04

Tuleap is an Open Source Suite to improve management of software developments and collaboration. The password to connect the Redis instance is not purged from the archive generated with tuleap collect-system-data. These archives are likely to be used by support teams that should not have access to this password. The vulnerability is fixed in Tuleap Community Edition 16.4.99.1740492866 and Tuleap Enterprise Edition 16.4-6 and 16.3-11.

Do I need to act?

0.59% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 5.3/10 Medium

NETWORK / HIGH complexity

Affected Products (2)

Tuleap

Affected Vendors

Enalean

References (3)

Patch https://github.com/Enalean/tuleap/commit/a6702622a8db969a17522b8fac0774afdb1c916...

Patch https://github.com/Enalean/tuleap/security/advisories/GHSA-jc5r-684x-j46q

Issue Tracking https://tuleap.net/plugins/tracker/?aid=41870

/ 100

low-risk

Severity 17/34 · Moderate

Exploitability 2/34 · Minimal

Exposure 7/34 · Low