[CVE-2019-11600] SQL injection vulnerability in activities API in versions 5.0.0 - 8.3.1

Skip to first unread message

OpenProject: Security

May 6, 2019, 3:27:27 AM5/6/19
to OpenProject: Security
A SQL injection vulnerability in the activities API in OpenProject before 8.3.2 
allows a remote attacker to execute arbitrary SQL commands via the id
parameter. The attack can be performed unauthenticated if OpenProject is configured
not to require authentication for API access.

This vulnerability has been assigned the CVE identifier CVE-2019-11600.

Versions Affected: 5.0.0 - 8.3.1
Not affected: Versions < 5.0.0
Fixed Versions: 8.3.2, 9.0.0

Journals rendered in the activities API are aggregated before output according to the aggregation setting.
The AggregatedJournal is being derived from a given journal ID that is input through notes_id.
This value was used to build a raw SQL string, resulting in the vulnerability.

OpenProject 8.3.2 has been released last week with a proper fix to this vulernability.

To aid users who aren't able to upgrade immediately we have provided a patch for all affected versions

CVE-2019-11600.patch - Patch for all versions from 5.0.0 to 8.3.2

Thanks to Thanaphon Soo from the SEC Consult Vulnerability Lab (https://www.sec-consult.com) for identifying and responsibly disclosing the identified issues.

Reply all
Reply to author
This conversation is locked
You cannot reply and perform actions on locked conversations.
0 new messages