BIT-openproject-2021-43830

See a problem?

Import Source

https://github.com/bitnami/vulndb/tree/main/data/openproject/BIT-openproject-2021-43830.json

JSON Data

https://api.osv.dev/v1/vulns/BIT-openproject-2021-43830

Aliases

CVE-2021-43830

Published

2024-03-06T11:00:24.112Z

Modified

2025-01-14T10:11:54.504217Z

Summary

[none]

Details

OpenProject is a web-based project management software. OpenProject versions >= 12.0.0 are vulnerable to a SQL injection in the budgets module. For authenticated users with the "Edit budgets" permission, the request to reassign work packages to another budget unsufficiently sanitizes user input in the reassign_to_id parameter. The vulnerability has been fixed in version 12.0.4. Versions prior to 12.0.0 are not affected. If you're upgrading from an older version, ensure you are upgrading to at least version 12.0.4. If you are unable to upgrade in a timely fashion, the following patch can be applied: https://github.com/opf/openproject/pull/9983.patch

Database specific

{
    "cpes": [
        "cpe:2.3:a:openproject:openproject:*:*:*:*:*:*:*:*"
    ],
    "severity": "High"
}

References

Affected packages

Bitnami / openproject

Package

Name: openproject
Purl: pkg:bitnami/openproject

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Affected ranges

Type: SEMVER
Events: Introduced

12.0.0

Fixed

12.0.4