Cyber Resilience

CVE-2024-46988

MediumPublic PoC

Published: 14 October 2024

Published
14 October 2024
Modified
16 October 2024
KEV Added
Patch
CVSS Score v3.1 4.8 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N
EPSS Score 0.0029 53.2th percentile
Risk Priority 10 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-46988 is a medium-severity Improper Handling of Insufficient Permissions or Privileges (CWE-280) vulnerability in Enalean Tuleap. Its CVSS base score is 4.8 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Information Repositories (T1213); ranked in the top 46.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

EU & UK References

Vulnerability details

Tuleap is a tool for end to end traceability of application and system developments. Prior to Tuleap Community Edition 15.13.99.40, Tuleap Enterprise Edition 15.13-3, and Tuleap Enterprise Edition 15.12-6, users might receive email notification with information they should not have…

more

access to. Tuleap Community Edition 15.13.99.40, Tuleap Enterprise Edition 15.13-3, and Tuleap Enterprise Edition 15.12-6 fix this issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1213 Data from Information Repositories Collection
Adversaries may leverage information repositories to mine valuable information.
Why these techniques?

The vulnerability enables low-privileged authenticated users to collect sensitive tracker artifact data from Tuleap (an information repository similar to SharePoint/Confluence) via unauthorized email notifications containing full snapshots.

Affected Assets

enalean
tuleap
≤ 15.12-6 · ≤ 15.13.99.40 · 15.13-0 — 15.13-3

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-755

Provides defined handling (alert and additional actions) for the exceptional condition of audit logging failure.

addresses: CWE-755

Supplies a concrete handling action (safe mode) for exceptional conditions, mitigating risks from improper or absent handling that could allow continued attacks.

addresses: CWE-755

By preparing users for contingency scenarios, the control promotes proper handling of exceptional conditions instead of default or unsafe behaviors.

addresses: CWE-755

An updated contingency plan defines current actions for exceptional conditions, reducing the window for attackers to exploit improper handling leading to system failure.

addresses: CWE-755

Procedures ensure proper handling of exceptional conditions to support effective incident response.

addresses: CWE-755

Incident response testing confirms proper handling of exceptional conditions to limit exploit impact.

addresses: CWE-755

Gives users guidance on incident handling, reducing improper handling of exceptional conditions that could stem from exploited weaknesses.

addresses: CWE-755

Enforces structured response to exceptional conditions so the system cannot remain in an unsafe state.

References