A SQL injection vulnerability in the activities API in OpenProject before 8.3.2
allows a remote attacker to execute arbitrary SQL commands via the id
parameter. The attack can be performed unauthenticated if OpenProject is configured
not to require authentication for API access.
This vulnerability has been assigned the CVE identifier CVE-2019-11600.
Versions Affected: 5.0.0 - 8.3.1
Not affected: Versions < 5.0.0
Fixed Versions: 8.3.2, 9.0.0
Journals rendered in the activities API are aggregated before output according to the aggregation setting.
The AggregatedJournal is being derived from a given journal ID that is input through notes_id.
This value was used to build a raw SQL string, resulting in the vulnerability.
OpenProject 8.3.2 has been released last week with a proper fix to this vulernability.
To aid users who aren't able to upgrade immediately we have provided a patch for all affected versions
CVE-2019-11600.patch - Patch for all versions from 5.0.0 to 8.3.2
Thanks to Thanaphon Soo from the SEC Consult Vulnerability Lab (https://www.sec-consult.com) for identifying and responsibly disclosing the identified issues.