[CVE-2019-11600] SQL injection vulnerability in activities API in versions 5.0.0 - 8.3.1

254 views
Skip to first unread message

OpenProject: Security

unread,
May 6, 2019, 3:27:27 AM5/6/19
to OpenProject: Security
A SQL injection vulnerability in the activities API in OpenProject before 8.3.2 
allows a remote attacker to execute arbitrary SQL commands via the id
parameter. The attack can be performed unauthenticated if OpenProject is configured
not to require authentication for API access.

This vulnerability has been assigned the CVE identifier CVE-2019-11600.


Versions Affected: 5.0.0 - 8.3.1
Not affected: Versions < 5.0.0
Fixed Versions: 8.3.2, 9.0.0

Impact 
Journals rendered in the activities API are aggregated before output according to the aggregation setting.
The AggregatedJournal is being derived from a given journal ID that is input through notes_id.
This value was used to build a raw SQL string, resulting in the vulnerability.


Releases 
OpenProject 8.3.2 has been released last week with a proper fix to this vulernability.


Patches 
To aid users who aren't able to upgrade immediately we have provided a patch for all affected versions

CVE-2019-11600.patch - Patch for all versions from 5.0.0 to 8.3.2


Credits 
Thanks to Thanaphon Soo from the SEC Consult Vulnerability Lab (https://www.sec-consult.com) for identifying and responsibly disclosing the identified issues.

CVE-2019-11600.patch
Reply all
Reply to author
Forward
This conversation is locked
You cannot reply and perform actions on locked conversations.
0 new messages