CVE-2021-32763 - OpenCVE

Vendors	Products
Openproject	Openproject

Link	Resource
https://github.com/opf/openproject/pull/9447.patch	Patch Third Party Advisory
https://github.com/opf/openproject/security/advisories/GHSA-qqvp-j6gm-q56f	Patch Third Party Advisory

{"containers": {"cna": {"affected": [{"product": "openproject", "vendor": "opf", "versions": [{"status": "affected", "version": "< 11.3.3"}]}], "descriptions": [{"lang": "en", "value": "OpenProject is open-source, web-based project management software. In versions prior to 11.3.3, the `MessagesController` class of OpenProject has a `quote` method that implements the logic behind the Quote button in the discussion forums, and it uses a regex to strip `<pre>` tags from the message being quoted. The `(.|\\s)` part can match a space character in two ways, so an unterminated `<pre>` tag containing `n` spaces causes Ruby's regex engine to backtrack to try 2n states in the NFA. This will result in a Regular Expression Denial of Service. The issue is fixed in OpenProject 11.3.3. As a workaround, one may install the patch manually."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "description": "CWE-400: Uncontrolled Resource Consumption", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-07-20T16:50:10", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/opf/openproject/security/advisories/GHSA-qqvp-j6gm-q56f"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/opf/openproject/pull/9447.patch"}], "source": {"advisory": "GHSA-qqvp-j6gm-q56f", "discovery": "UNKNOWN"}, "title": "Regular Expression Denial of Service in OpenProject forum messages", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-32763", "STATE": "PUBLIC", "TITLE": "Regular Expression Denial of Service in OpenProject forum messages"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "openproject", "version": {"version_data": [{"version_value": "< 11.3.3"}]}}]}, "vendor_name": "opf"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "OpenProject is open-source, web-based project management software. In versions prior to 11.3.3, the `MessagesController` class of OpenProject has a `quote` method that implements the logic behind the Quote button in the discussion forums, and it uses a regex to strip `<pre>` tags from the message being quoted. The `(.|\\s)` part can match a space character in two ways, so an unterminated `<pre>` tag containing `n` spaces causes Ruby's regex engine to backtrack to try 2n states in the NFA. This will result in a Regular Expression Denial of Service. The issue is fixed in OpenProject 11.3.3. As a workaround, one may install the patch manually."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-400: Uncontrolled Resource Consumption"}]}]}, "references": {"reference_data": [{"name": "https://github.com/opf/openproject/security/advisories/GHSA-qqvp-j6gm-q56f", "refsource": "CONFIRM", "url": "https://github.com/opf/openproject/security/advisories/GHSA-qqvp-j6gm-q56f"}, {"name": "https://github.com/opf/openproject/pull/9447.patch", "refsource": "MISC", "url": "https://github.com/opf/openproject/pull/9447.patch"}]}, "source": {"advisory": "GHSA-qqvp-j6gm-q56f", "discovery": "UNKNOWN"}}}}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-32763", "datePublished": "2021-07-20T16:50:10", "dateReserved": "2021-05-12T00:00:00", "dateUpdated": "2021-07-20T16:50:10", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openproject:openproject:*:*:*:*:*:*:*:*", "matchCriteriaId": "366A9F4F-7BF8-41F6-8A71-4E2D58687F6E", "versionEndExcluding": "11.3.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "OpenProject is open-source, web-based project management software. In versions prior to 11.3.3, the `MessagesController` class of OpenProject has a `quote` method that implements the logic behind the Quote button in the discussion forums, and it uses a regex to strip `<pre>` tags from the message being quoted. The `(.|\\s)` part can match a space character in two ways, so an unterminated `<pre>` tag containing `n` spaces causes Ruby's regex engine to backtrack to try 2n states in the NFA. This will result in a Regular Expression Denial of Service. The issue is fixed in OpenProject 11.3.3. As a workaround, one may install the patch manually."}, {"lang": "es", "value": "OpenProject es un software de administraci\u00f3n de proyectos de c\u00f3digo abierto basado en la web. En versiones anteriores a 11.3.3, la clase \"MessagesController\" de OpenProject presenta un m\u00e9todo \"quote\" que implementa la l\u00f3gica detr\u00e1s del bot\u00f3n Quote en los foros de discusi\u00f3n, y usa una regex para eliminar las etiquetas \"(pre)\" del mensaje que se est\u00e1 citando. La parte \"(.|\\s)\" puede coincidir con un car\u00e1cter de espacio de dos maneras, por lo que una etiqueta \"(pre)\" no terminada que contenga \"n\" espacios causa que el motor regex de Ruby retroceda para intentar 2(sup)n(/sup) estados en el NFA. Esto resultar\u00eda en una Denegaci\u00f3n de Servicio de Expresi\u00f3n Regular. El problema es corregido en OpenProject versi\u00f3n11.3.3. Como soluci\u00f3n, se puede instalar el parche manualmente"}], "id": "CVE-2021-32763", "lastModified": "2022-04-25T19:07:01.907", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 4.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2021-07-20T17:15:07.813", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/opf/openproject/pull/9447.patch"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/opf/openproject/security/advisories/GHSA-qqvp-j6gm-q56f"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-400"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

JSON object

JSON object

JSON object