{"id":"CVE-2021-41147","details":"Tuleap Open ALM is a libre and open source tool for end to end traceability of application and system developments. Prior to version 11.16.99.173 of Community Edition and versions 11.16-6 and 11.15-8 of Enterprise Edition, an attacker with admin rights in one agile dashboard service can execute arbitrary SQL queries. Tuleap Community Edition 11.16.99.173, Tuleap Enterprise Edition 11.16-6, and Tuleap Enterprise Edition 11.15-8 contain a patch for this issue.","modified":"2026-04-10T04:38:35.298713Z","published":"2021-10-15T14:15:08.247Z","related":["GHSA-j2mq-65wv-prmp"],"references":[{"type":"FIX","url":"https://github.com/Enalean/tuleap/commit/d6b2f8b8c5098938bc094726a4826479ddbee941"},{"type":"FIX","url":"https://github.com/Enalean/tuleap/security/advisories/GHSA-j2mq-65wv-prmp"},{"type":"FIX","url":"https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=d6b2f8b8c5098938bc094726a4826479ddbee941"},{"type":"EVIDENCE","url":"https://tuleap.net/plugins/tracker/?aid=15131"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/enalean/tuleap","events":[{"introduced":"0"},{"fixed":"d6b2f8b8c5098938bc094726a4826479ddbee941"}]},{"type":"GIT","repo":"https://github.com/enalean/tuleap","events":[{"introduced":"0"},{"fixed":"d6b2f8b8c5098938bc094726a4826479ddbee941"}]}],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"fixed":"11.16.99.173"}]},{"events":[{"introduced":"11.15-1"},{"fixed":"11.15-8"}]},{"events":[{"introduced":"11.16-1"},{"fixed":"11.16-6"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-41147.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"}]}