BIT-openproject-2021-32763

See a problem?
Import Source
https://github.com/bitnami/vulndb/tree/main/data/openproject/BIT-openproject-2021-32763.json
JSON Data
https://api.osv.dev/v1/vulns/BIT-openproject-2021-32763
Aliases
Published
2024-03-06T11:00:32.386Z
Modified
2024-03-06T11:25:28.861Z
Summary
[none]
Details

OpenProject is open-source, web-based project management software. In versions prior to 11.3.3, the MessagesController class of OpenProject has a quote method that implements the logic behind the Quote button in the discussion forums, and it uses a regex to strip <pre> tags from the message being quoted. The (.|\s) part can match a space character in two ways, so an unterminated <pre> tag containing n spaces causes Ruby's regex engine to backtrack to try 2<sup>n</sup> states in the NFA. This will result in a Regular Expression Denial of Service. The issue is fixed in OpenProject 11.3.3. As a workaround, one may install the patch manually.

References

Affected packages

Bitnami / openproject

Package

Name
openproject
Purl
pkg:bitnami/openproject

Severity

  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
11.3.3