|Category:||Web application abuses|
|Title:||Tuleap Object Injection vulnerability before version 9.7|
|Summary:||Tuleap version 5.0 through 9.6 allows authenticated attackers to execute arbitrary code on the host via an Object Injection vulnerability.|
Tuleap version 5.0 through 9.6 allows authenticated attackers to execute arbitrary code on the host via an Object Injection vulnerability.
The vulnerability exists because this method is using the unserialize() function with a value that can be arbitrarily manipulated by a user through the REST API interface. This can be exploited to inject arbitrary PHP objects into the application scope, and could allow authenticated attackers to execute arbitrary PHP code via specially crafted serialized objects. Successful exploitation of this vulnerability requires an user account with permissions to create or access artifacts in a tracker.
Successful exploitation would allow the attacker to execute arbitrary code on the host.
Tuleap version 5.0 through 9.6
Update to Tuleap version 9.7
Common Vulnerability Exposure (CVE) ID: CVE-2017-7411|
|Copyright||Copyright (C) 2017 Greenbone Networks GmbH|
|This is only one of 69903 vulnerability tests in our test suite. Find out more about running a complete security audit.|
To run a free test of this vulnerability against your system, register below.