BIT-openproject-2021-32763
See a problem?- Import Source
- https://github.com/bitnami/vulndb/tree/main/data/openproject/BIT-openproject-2021-32763.json
- JSON Data
- https://api.osv.dev/v1/vulns/BIT-openproject-2021-32763
- Aliases
- Published
- 2024-03-06T11:00:32.386Z
- Modified
- 2025-01-14T09:26:58.151332Z
- Summary
- [none]
- Details
-
OpenProject is open-source, web-based project management software. In versions prior to 11.3.3, the
MessagesControllerclass of OpenProject has aquotemethod that implements the logic behind the Quote button in the discussion forums, and it uses a regex to strip<pre>tags from the message being quoted. The(.|\s)part can match a space character in two ways, so an unterminated<pre>tag containingnspaces causes Ruby's regex engine to backtrack to try 2<sup>n</sup> states in the NFA. This will result in a Regular Expression Denial of Service. The issue is fixed in OpenProject 11.3.3. As a workaround, one may install the patch manually. - Database specific
{ "cpes": [ "cpe:2.3:a:openproject:openproject:*:*:*:*:*:*:*:*" ], "severity": "Medium" }- References
Affected packages
Bitnami / openproject
Package
- Name
- openproject
- Purl
- pkg:bitnami/openproject
Severity
- 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator