Cyber Resilience

CVE-2024-47767

MediumPublic PoC

Published: 14 October 2024

Published
14 October 2024
Modified
17 October 2024
KEV Added
Patch
CVSS Score v3.1 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
EPSS Score 0.0034 57.1th percentile
Risk Priority 9 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-47767 is a medium-severity Improper Handling of Insufficient Permissions or Privileges (CWE-280) vulnerability in Enalean Tuleap. Its CVSS base score is 4.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Information Repositories (T1213); ranked in the top 42.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

EU & UK References

Vulnerability details

Tuleap is a tool for end to end traceability of application and system developments. Prior to Tuleap Community Edition 15.13.99.113, Tuleap Enterprise Edition 15.13-5, and Tuleap Enterprise Edition 15.12-5, users might see tracker names they should not have access to.…

more

Tuleap Community Edition 15.13.99.113, Tuleap Enterprise Edition 15.13-5, and Tuleap Enterprise Edition 15.12-8 fix this issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1213 Data from Information Repositories Collection
Adversaries may leverage information repositories to mine valuable information.
Why these techniques?

The vulnerability enables low-privileged users to view unauthorized tracker names in Tuleap, an information repository for development artifacts, facilitating data collection from such repositories.

Affected Assets

enalean
tuleap
≤ 15.12-8 · ≤ 15.13.99.113 · 15.13-0 — 15.13-5

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-755

Provides defined handling (alert and additional actions) for the exceptional condition of audit logging failure.

addresses: CWE-755

Supplies a concrete handling action (safe mode) for exceptional conditions, mitigating risks from improper or absent handling that could allow continued attacks.

addresses: CWE-755

By preparing users for contingency scenarios, the control promotes proper handling of exceptional conditions instead of default or unsafe behaviors.

addresses: CWE-755

An updated contingency plan defines current actions for exceptional conditions, reducing the window for attackers to exploit improper handling leading to system failure.

addresses: CWE-755

Procedures ensure proper handling of exceptional conditions to support effective incident response.

addresses: CWE-755

Incident response testing confirms proper handling of exceptional conditions to limit exploit impact.

addresses: CWE-755

Gives users guidance on incident handling, reducing improper handling of exceptional conditions that could stem from exploited weaknesses.

addresses: CWE-755

Enforces structured response to exceptional conditions so the system cannot remain in an unsafe state.

References