CVE-2021-43830 - OpenCVE

OpenProject is a web-based project management software. OpenProject versions >= 12.0.0 are vulnerable to a SQL injection in the budgets module. For authenticated users with the "Edit budgets" permission, the request to reassign work packages to another budget unsufficiently sanitizes user input in the `reassign_to_id` parameter. The vulnerability has been fixed in version 12.0.4. Versions prior to 12.0.0 are not affected. If you're upgrading from an older version, ensure you are upgrading to at least version 12.0.4. If you are unable to upgrade in a timely fashion, the following patch can be applied: https://github.com/opf/openproject/pull/9983.patch

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:S/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Openproject	Openproject

Configuration 1 [-]

cpe:2.3:a:openproject:openproject:*:*:*:*:*:*:*:*

References

Link	Resource
https://github.com/opf/openproject/pull/9983	Patch Third Party Advisory
https://github.com/opf/openproject/pull/9983.patch	Patch Third Party Advisory
https://github.com/opf/openproject/releases/tag/v12.0.4	Release Notes Third Party Advisory
https://github.com/opf/openproject/security/advisories/GHSA-f565-3whr-6m96	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: GitHub_M

Published: 2021-12-14T19:25:12

Updated: 2021-12-14T19:25:12

Reserved: 2021-11-16T00:00:00

Link: CVE-2021-43830

JSON object: View

NVD Information

Status : Analyzed

Published: 2021-12-14T20:15:07.813

Modified: 2021-12-20T16:47:26.213

Link: CVE-2021-43830

JSON object: View

Redhat Information

No data.

CWE

CWE-89

{"containers": {"cna": {"affected": [{"product": "openproject", "vendor": "opf", "versions": [{"status": "affected", "version": ">= 12.0.0, < 12.0.4"}]}], "descriptions": [{"lang": "en", "value": "OpenProject is a web-based project management software. OpenProject versions >= 12.0.0 are vulnerable to a SQL injection in the budgets module. For authenticated users with the \"Edit budgets\" permission, the request to reassign work packages to another budget unsufficiently sanitizes user input in the `reassign_to_id` parameter. The vulnerability has been fixed in version 12.0.4. Versions prior to 12.0.0 are not affected. If you're upgrading from an older version, ensure you are upgrading to at least version 12.0.4. If you are unable to upgrade in a timely fashion, the following patch can be applied: https://github.com/opf/openproject/pull/9983.patch"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-12-14T19:25:12", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/opf/openproject/security/advisories/GHSA-f565-3whr-6m96"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/opf/openproject/pull/9983"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/opf/openproject/pull/9983.patch"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/opf/openproject/releases/tag/v12.0.4"}], "source": {"advisory": "GHSA-f565-3whr-6m96", "discovery": "UNKNOWN"}, "title": "SQL injection in OpenProject", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-43830", "STATE": "PUBLIC", "TITLE": "SQL injection in OpenProject"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "openproject", "version": {"version_data": [{"version_value": ">= 12.0.0, < 12.0.4"}]}}]}, "vendor_name": "opf"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "OpenProject is a web-based project management software. OpenProject versions >= 12.0.0 are vulnerable to a SQL injection in the budgets module. For authenticated users with the \"Edit budgets\" permission, the request to reassign work packages to another budget unsufficiently sanitizes user input in the `reassign_to_id` parameter. The vulnerability has been fixed in version 12.0.4. Versions prior to 12.0.0 are not affected. If you're upgrading from an older version, ensure you are upgrading to at least version 12.0.4. If you are unable to upgrade in a timely fashion, the following patch can be applied: https://github.com/opf/openproject/pull/9983.patch"}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}]}, "references": {"reference_data": [{"name": "https://github.com/opf/openproject/security/advisories/GHSA-f565-3whr-6m96", "refsource": "CONFIRM", "url": "https://github.com/opf/openproject/security/advisories/GHSA-f565-3whr-6m96"}, {"name": "https://github.com/opf/openproject/pull/9983", "refsource": "MISC", "url": "https://github.com/opf/openproject/pull/9983"}, {"name": "https://github.com/opf/openproject/pull/9983.patch", "refsource": "MISC", "url": "https://github.com/opf/openproject/pull/9983.patch"}, {"name": "https://github.com/opf/openproject/releases/tag/v12.0.4", "refsource": "MISC", "url": "https://github.com/opf/openproject/releases/tag/v12.0.4"}]}, "source": {"advisory": "GHSA-f565-3whr-6m96", "discovery": "UNKNOWN"}}}}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-43830", "datePublished": "2021-12-14T19:25:12", "dateReserved": "2021-11-16T00:00:00", "dateUpdated": "2021-12-14T19:25:12", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openproject:openproject:*:*:*:*:*:*:*:*", "matchCriteriaId": "0DB8D80E-6001-4F98-98AE-4E96A774E4A7", "versionEndExcluding": "12.0.4", "versionStartIncluding": "12.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "OpenProject is a web-based project management software. OpenProject versions >= 12.0.0 are vulnerable to a SQL injection in the budgets module. For authenticated users with the \"Edit budgets\" permission, the request to reassign work packages to another budget unsufficiently sanitizes user input in the `reassign_to_id` parameter. The vulnerability has been fixed in version 12.0.4. Versions prior to 12.0.0 are not affected. If you're upgrading from an older version, ensure you are upgrading to at least version 12.0.4. If you are unable to upgrade in a timely fashion, the following patch can be applied: https://github.com/opf/openproject/pull/9983.patch"}, {"lang": "es", "value": "OpenProject es un software de administraci\u00f3n de proyectos basado en la web. OpenProject versiones posteriores a 12.0.0 incluy\u00e9ndola, son vulnerables a una inyecci\u00f3n SQL en el m\u00f3dulo budgets. Para los usuarios autenticados con el permiso \"Edit budgets\", la petici\u00f3n para reasignar paquetes de trabajo a otro presupuesto no sanea suficientemente la entrada del usuario en el par\u00e1metro \"reassign_to_id\". La vulnerabilidad ha sido corregida en la versi\u00f3n 12.0.4. Las versiones anteriores a la 12.0.0 no est\u00e1n afectadas. Si est\u00e1 actualizando desde una versi\u00f3n anterior, aseg\u00farese de que est\u00e1 actualizando al menos a la versi\u00f3n 12.0.4. Si no puede actualizar a tiempo, puede aplicar el siguiente parche: https://github.com/opf/openproject/pull/9983.patch"}], "id": "CVE-2021-43830", "lastModified": "2021-12-20T16:47:26.213", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 3.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2021-12-14T20:15:07.813", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/opf/openproject/pull/9983"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/opf/openproject/pull/9983.patch"}, {"source": "security-advisories@github.com", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/opf/openproject/releases/tag/v12.0.4"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/opf/openproject/security/advisories/GHSA-f565-3whr-6m96"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security-advisories@github.com", "type": "Primary"}]}