CVE-2025-64497

Dec. 9, 2025, 6:37 p.m.

6.5
Medium

Description

Tuleap is an Open Source Suite for management of software development and collaboration. Versions below 17.0.99.1762431347 of Tuleap Community Edition and Tuleap Enterprise Edition below 17.0-2, 16.13-7 and 16.12-10 allow attackers to access file release system information in projects they do not have access to. This issue is fixed in version 17.0.99.1762431347 of the Tuleap Community Edition and versions 17.0-2, 16.13-7 and 16.12-10 of Tuleap Enterprise Edition.

Product(s) Impacted

Vendor Product Versions
Tuleap
  • Tuleap Community Edition
  • Tuleap Enterprise Edition
  • <17.0.99.1762431347
  • 17.0-2, 16.13-7, 16.12-10

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-639
Authorization Bypass Through User-Controlled Key
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a tuleap tuleap_community_edition <17.0.99.1762431347 / / / / / / /
a tuleap tuleap_enterprise_edition 17.0-2 / / / / / / /
a tuleap tuleap_enterprise_edition 16.13-7 / / / / / / /
a tuleap tuleap_enterprise_edition 16.12-10 / / / / / / /

References

https://github.com/Enalean/tuleap/commit/403eb69f4cfafe52254c8f9bdbe66e1fedadc254
https://github.com/Enalean/tuleap/security/advisories/GHSA-v6vm-6rxf-7p2v
https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=403eb69f4cfafe52254c8f9bdbe66e1fedadc254
https://tuleap.net/plugins/tracker/?aid=45583

Tags

security-advisories@github.com
CWE-639
2025-12-08
CVE-2025-64497

CVSS Score

6.5 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: LOW
  • Scope: UNCHANGED
  • Confidentiality Impact: HIGH
  • Integrity Impact: NONE
  • Availability Impact: NONE

    • CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

    View Vector String

Timeline

Published: Dec. 8, 2025, 11:15 p.m.
Last Modified: Dec. 9, 2025, 6:37 p.m.

Status : Undergoing Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security-advisories@github.com

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.