CVE-2022-31128 is a security vulnerability identified in Enalean's Tuleap software, an open-source suite designed to facilitate software development management and collaboration. The vulnerability stems from a missing authorization check (CWE-862) in the REST API endpoint responsible for creating Git branches (`POST git/:id/branches`). Specifically, in affected versions of Tuleap (versions >= 13.9.99.110 and < 13.10.99.82), the system fails to properly verify whether a user has the necessary permissions to create branches within Git repositories that use fine-grained permission controls. This flaw allows any authenticated user, regardless of their assigned repository permissions, to create branches via the REST API. The ability to create branches without proper authorization can undermine repository integrity and potentially facilitate unauthorized code changes or the introduction of malicious code. The issue was resolved in Tuleap Community Edition version 13.10.99.82 and Tuleap Enterprise Edition version 13.10-3. No known workarounds exist, so upgrading to a fixed version is the primary remediation. There are no reports of active exploitation in the wild as of the publication date. The vulnerability does not require user interaction beyond authentication, but it does require the attacker to have some level of access to the Tuleap instance (authenticated user).

For European organizations utilizing Tuleap for software development and collaboration, this vulnerability poses a risk to the integrity and trustworthiness of their source code repositories. Unauthorized branch creation can lead to unauthorized code changes, potentially introducing vulnerabilities, backdoors, or other malicious modifications into the development lifecycle. This can compromise the integrity of software products, disrupt development workflows, and increase the risk of supply chain attacks. Organizations in sectors with high regulatory and compliance requirements (e.g., finance, healthcare, critical infrastructure) may face increased risk due to potential violations of software integrity and audit requirements. Additionally, the vulnerability could be leveraged by insider threats or compromised accounts to escalate privileges within the development environment. Although the vulnerability does not directly affect confidentiality or availability, the integrity impact is significant, especially in environments where code integrity is critical. The lack of known exploits reduces immediate risk, but the presence of the vulnerability in widely used versions means organizations should act promptly to mitigate potential future exploitation.

1. Immediate Upgrade: Organizations should upgrade affected Tuleap instances to version 13.10.99.82 (Community Edition) or 13.10-3 (Enterprise Edition) or later to apply the official patch that enforces proper authorization checks. 2. Access Control Review: Conduct a thorough review of user permissions and roles within Tuleap to ensure that only trusted users have access to repository management features. 3. API Usage Monitoring: Implement monitoring and logging of REST API calls, especially branch creation events, to detect any unauthorized or anomalous activity. 4. Network Segmentation: Restrict access to the Tuleap instance’s API endpoints to trusted networks and users, reducing the attack surface. 5. Multi-Factor Authentication (MFA): Enforce MFA for all users accessing Tuleap to reduce the risk of compromised credentials being used to exploit this vulnerability. 6. Incident Response Preparedness: Develop and test incident response plans specific to source code repository integrity breaches, including rollback procedures and forensic analysis. 7. Security Awareness: Educate developers and administrators about the risks of unauthorized branch creation and encourage vigilance in code review processes to detect suspicious changes.