cbcvebase.
CVE-2017-7411
published 2017-10-30

CVE-2017-7411: An issue was discovered in Enalean Tuleap 9.6 and prior versions. The vulnerability exists because the User::getRecentElements() method is using the…

PriorityP276high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
66.63%
99.2th percentile
An issue was discovered in Enalean Tuleap 9.6 and prior versions. The vulnerability exists because the User::getRecentElements() method is using the unserialize() function with a preference value that can be arbitrarily manipulated by malicious users through the REST API interface, and this can be exploited to inject arbitrary PHP objects into the application scope, allowing an attacker to perform a variety of attacks (including but not limited to Remote Code Execution).

Affected

1 ranges
VendorProductVersion rangeFixed in
enaleantuleap<= 9.6

Detection & IOCsextracted from sources · hover to see the quote

url/api/tokens
url/api/users/{uid}/preferences
url/account/login.php
url/plugins/tracker/?aid={AID}
otherrecent_elements
otherX-Auth-Token / X-Auth-UserId
  • Monitor REST API PATCH requests to /api/users/{id}/preferences containing a serialized PHP object payload (beginning with 'a:1:{i:0;a:1:{') in the 'recent_elements' preference key value.
  • Detect POST requests to /api/tokens followed shortly by a PATCH to /api/users/{id}/preferences from the same source IP — this two-step sequence is the exploit's authentication and payload-staging flow.
  • Alert on POST requests to /plugins/tracker/ containing a base64-encoded body parameter with a random alphabetic name — this is the exploit trigger step that causes eval() execution via the POP chain.
  • The exploit abuses the Mustache class __toString() method chaining into Transition_PostActionSubFactory::fetchPostActions() to reach eval(). Inspect PHP stack traces or error logs for these class/method names during exploitation.
  • The vulnerability is triggered when a user visits a tracker artifact page (GET/POST to /plugins/tracker/?aid=) after the malicious 'recent_elements' preference has been set, causing unserialize() to process attacker-controlled data.
  • ·Exploit requires valid authenticated credentials; it is not an unauthenticated attack. Detection rules should account for the authenticated REST API session flow.
  • ·The Metasploit module defaults to RPORT 443 (HTTPS); network-level detection must inspect TLS-decrypted traffic to catch the attack.
  • ·Affected versions are Tuleap 9.6 and prior; the module targets 'Tuleap <= 9.6'.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.