Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Indirect LDAP injection in Tuleap
Vulnerability Description
Tuleap is a Libre and Open Source tool for end to end traceability of application and system developments. This is a follow up to GHSA-887w-pv2r-x8pm/CVE-2021-41276, the initial fix was incomplete. Tuleap does not sanitize properly the search filter built from the ldap_id attribute of a user during the daily synchronization. A malicious user could force accounts to be suspended or take over another account by forcing the update of the ldap_uid attribute. Note that the malicious user either need to have site administrator capability on the Tuleap instance or be an LDAP operator with the capability to create/modify account. The Tuleap instance needs to have the LDAP plugin activated and enabled for this issue to be exploitable. The following versions contain the fix: Tuleap Community Edition 13.2.99.83, Tuleap Enterprise Edition 13.1-6, and Tuleap Enterprise Edition 13.2-4.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L
Vulnerability Type
LDAP查询中使用的特殊元素转义处理不恰当(LDAP注入)
Vulnerability Title
Tuleap 注入漏洞
Vulnerability Description
Tuleap是开源的一个应用程序生命周期管理系统,可促进敏捷软件开发,设计项目,V模型,需求管理和IT服务管理。 Tuleap存在注入漏洞,攻击者可利用该漏洞通过强制更新ldap_uid属性来强制挂起帐户或接管另一个帐户。Tuleap实例需要激活并启用LDAP插件,才能利用此问题。该问题已在Tuleap社区版13.2.99.83,Tuleap企业版13.1-6和Tuleap企业版13.2-4中修补。
CVSS Information
N/A
Vulnerability Type
N/A