CVE-2025-64497

Published: Dec 8, 2025Modified: Dec 10, 2025

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Exploitability: 2.8 / Impact: 3.6

Source: NVD

Description

Tuleap is an Open Source Suite for management of software development and collaboration. Versions below 17.0.99.1762431347 of Tuleap Community Edition and Tuleap Enterprise Edition below 17.0-2, 16.13-7 and 16.12-10 allow attackers to access file release system information in projects they do not have access to. This issue is fixed in version 17.0.99.1762431347 of the Tuleap Community Edition and versions 17.0-2, 16.13-7 and 16.12-10 of Tuleap Enterprise Edition.

Affected (4)

Products: Enalean: Tuleap

1 product

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
Enalean Tuleap	Before 17.0.99.1762431347
Enalean Tuleap	Before 16.12-10
Enalean Tuleap	From 16.13 to 16.13-7
Enalean Tuleap	From 17.0 to 17.0-2

Related CWEs

Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

References (4)

https://github.com/Enalean/tuleap/commit/403eb69f4cfafe52254c8f9bdbe66e1fedadc254

Source: security-advisories@github.com

Patch

https://github.com/Enalean/tuleap/security/advisories/GHSA-v6vm-6rxf-7p2v

Source: security-advisories@github.com

Vendor Advisory

https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=403eb69f4cfafe52254c8f9bdbe66e1fedadc254

Source: security-advisories@github.com

PatchBroken Link

https://tuleap.net/plugins/tracker/?aid=45583

Source: security-advisories@github.com

Issue TrackingVendor Advisory

Timeline

No history available yet.