Configuration Manipulation Vulnerability in Tuleap Software Suite
CVE-2025-27094

5.4MEDIUM

Key Information:

Vendor

Enalean

Status
Tuleap
Vendor
CVE Published:
3 March 2025

What is CVE-2025-27094?

A vulnerability in Tuleap allows a malicious user with access to a tracker to manipulate field configurations. This can lead to unintended information loss, including the loss of settings for various field attributes like display time, size, default values, and row/column configurations in saved reports. Furthermore, specific versions of Tuleap Community Edition are susceptible to crashes triggered by this exploitation, effectively preventing user access to critical tracker data. The issue has been addressed in Tuleap Community Edition version 16.4.99.1739877910 and Tuleap Enterprise Edition versions 16.3-9 and 16.4-4.

Affected Version(s)

tuleap < 16.4.99.1739877910

References

https://github.com/Enalean/tuleap/security/advisories/GHS...
x_refsource_CONFIRM
https://github.com/Enalean/tuleap/commit/ef650abb4a28359a...
x_refsource_MISC
https://tuleap.net/plugins/tracker/?aid=41849
x_refsource_MISC

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.