{"api_version":"1","generated_at":"2026-04-25T03:03:38+00:00","cve":"CVE-2022-24896","urls":{"html":"https://cve.report/CVE-2022-24896","api":"https://cve.report/api/cve/CVE-2022-24896.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2022-24896","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2022-24896"},"summary":{"title":"CVE-2022-24896","description":"Tuleap is a Free & Open Source Suite to manage software developments and collaboration. In versions prior to 13.7.99.239 Tuleap does not properly verify authorizations when displaying the content of tracker report renderer and chart widgets. Malicious users could use this vulnerability to retrieve the name of a tracker they cannot access as well as the name of the fields used in reports.","state":"PUBLIC","assigner":"security-advisories@github.com","published_at":"2022-06-09 06:15:00","updated_at":"2022-06-15 17:42:00"},"problem_types":["CWE-862"],"metrics":[],"references":[{"url":"https://tuleap.net/plugins/tracker/?aid=26729","name":"https://tuleap.net/plugins/tracker/?aid=26729","refsource":"MISC","tags":[],"title":"Tracker report renderer and chart widgets leak information user  - request #26729 - Requests - Tuleap","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://github.com/Enalean/tuleap/commit/8e99e7c82d9fe569799019b9e1d614d38a184313","name":"https://github.com/Enalean/tuleap/commit/8e99e7c82d9fe569799019b9e1d614d38a184313","refsource":"MISC","tags":[],"title":"request #26729 Tracker report renderer and chart widgets leak informa… · Enalean/tuleap@8e99e7c · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=8e99e7c82d9fe569799019b9e1d614d38a184313","name":"https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=8e99e7c82d9fe569799019b9e1d614d38a184313","refsource":"MISC","tags":[],"title":"Git - Tuleap","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://github.com/Enalean/tuleap/security/advisories/GHSA-x962-x43g-qw39","name":"https://github.com/Enalean/tuleap/security/advisories/GHSA-x962-x43g-qw39","refsource":"CONFIRM","tags":[],"title":"Tracker report renderer and chart widgets leak information user cannot access · Advisory · Enalean/tuleap · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2022-24896","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24896","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2022","cve_id":"24896","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"enalean","cpe5":"tuleap","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"community","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"24896","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"enalean","cpe5":"tuleap","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"enterprise","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"security-advisories@github.com","ID":"CVE-2022-24896","STATE":"PUBLIC","TITLE":"Tracker report renderer and chart widgets leak information in Tuleap"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"tuleap","version":{"version_data":[{"version_value":"< 13.7.99.239"}]}}]},"vendor_name":"Enalean"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"Tuleap is a Free & Open Source Suite to manage software developments and collaboration. In versions prior to 13.7.99.239 Tuleap does not properly verify authorizations when displaying the content of tracker report renderer and chart widgets. Malicious users could use this vulnerability to retrieve the name of a tracker they cannot access as well as the name of the fields used in reports."}]},"impact":{"cvss":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":4.3,"baseSeverity":"MEDIUM","confidentialityImpact":"LOW","integrityImpact":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","version":"3.1"}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-862: Missing Authorization"}]}]},"references":{"reference_data":[{"name":"https://github.com/Enalean/tuleap/security/advisories/GHSA-x962-x43g-qw39","refsource":"CONFIRM","url":"https://github.com/Enalean/tuleap/security/advisories/GHSA-x962-x43g-qw39"},{"name":"https://github.com/Enalean/tuleap/commit/8e99e7c82d9fe569799019b9e1d614d38a184313","refsource":"MISC","url":"https://github.com/Enalean/tuleap/commit/8e99e7c82d9fe569799019b9e1d614d38a184313"},{"name":"https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=8e99e7c82d9fe569799019b9e1d614d38a184313","refsource":"MISC","url":"https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=8e99e7c82d9fe569799019b9e1d614d38a184313"},{"name":"https://tuleap.net/plugins/tracker/?aid=26729","refsource":"MISC","url":"https://tuleap.net/plugins/tracker/?aid=26729"}]},"source":{"advisory":"GHSA-x962-x43g-qw39","discovery":"UNKNOWN"}},"nvd":{"publishedDate":"2022-06-09 06:15:00","lastModifiedDate":"2022-06-15 17:42:00","problem_types":["CWE-862"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":4.3,"baseSeverity":"MEDIUM"},"exploitabilityScore":2.8,"impactScore":1.4},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:S/C:P/I:N/A:N","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"SINGLE","confidentialityImpact":"PARTIAL","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":4},"severity":"MEDIUM","exploitabilityScore":8,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:enalean:tuleap:*:*:*:*:community:*:*:*","versionEndExcluding":"13.7.99.239","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:enalean:tuleap:*:*:*:*:enterprise:*:*:*","versionStartIncluding":"13.7-1","versionEndExcluding":"13.7-4","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:enalean:tuleap:*:*:*:*:enterprise:*:*:*","versionEndExcluding":"13.6-5","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2022","CveId":"24896","Ordinal":"228207","Title":"CVE-2022-24896","CVE":"CVE-2022-24896","Year":"2022"},"notes":[{"CveYear":"2022","CveId":"24896","Ordinal":"1","NoteData":"** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.","Type":"Description","Title":null}]}}}