CVE-2023-33960

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-33960

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-33960.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2023-33960

Aliases

BIT-openproject-2023-33960

Related

GHSA-xjfc-fqm3-95q8

Published

2023-06-01T17:15:10Z

Modified

2025-01-14T11:57:22.751316Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

OpenProject is web-based project management software. For any OpenProject installation, a robots.txt file is generated through the server to denote which routes shall or shall not be accessed by crawlers. These routes contain project identifiers of all public projects in the instance. Prior to version 12.5.6, even if the entire instance is marked as Login required and prevents all truly anonymous access, the /robots.txt route remains publicly available.

Version 12.5.6 has a fix for this issue. Alternatively, users can download a patchfile to apply the patch to any OpenProject version greater than 10.0 As a workaround, one may mark any public project as non-public and give anyone in need of access to the project a membership.

References

Affected packages

Git / github.com/opf/openproject

Affected ranges

Type: GIT
Repo: https://github.com/opf/openproject
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

35aacb9b3ab1af15c2e8976f815a2b4b5832dc7b

Affected versions

11.*

11.2.1

2.*

2.4.0

release/3.*

release/3.0.0

Other

sprint/2014_08

sprint/2014_09

sprint/2014_10

sprint/2014_11

sprint/2014_12

sprint/2014_13

sprint/2014_16

sprint/2014_18

sprint/2015_01

sprint/2015_02

sprint/2015_03

sprint/2015_04

v10.*

v10.5

v11.*

v11.0.0

v11.0.1

v11.0.2

v11.0.3

v11.0.4

v11.1.0

v11.1.1

v11.1.2

v11.1.3

v11.1.4

v11.2.0

v11.2.1

v11.2.2

v11.2.3

v11.2.4

v12.*

v12.0.0

v12.0.1

v12.0.10

v12.0.2

v12.0.3

v12.0.4

v12.0.5

v12.0.6

v12.0.7

v12.0.8

v12.0.9

v12.1.0

v12.1.1

v12.1.2

v12.1.3

v12.1.4

v12.1.5

v12.1.6

v12.2.0

v12.2.1

v12.2.2

v12.2.3

v12.2.4

v12.2.5

v12.3.0

v12.3.1

v12.3.2

v12.3.3

v12.3.4

v12.4.0

v12.4.1

v12.4.2

v12.4.3

v12.4.4

v12.4.5

v12.5.0

v12.5.1

v12.5.2

v12.5.3

v12.5.4

v12.5.5

v3.*

v3.0.0

v3.0.1

v3.0.11

v3.0.12

v3.0.13

v3.0.8

v4.*

v4.0.0

v4.0.1

v4.0.10

v4.0.11

v4.0.12

v4.0.2

v4.0.3

v4.0.4

v4.0.5

v4.0.6

v4.0.7

v4.0.8

v4.0.9

v4.1.0

v4.1.0-beta

v4.1.1

v4.1.2

v4.1.3

v4.1.4

v4.2.0

v4.2.1

v4.2.2

v4.2.3

v4.2.4

v4.2.5

v4.2.6

v4.2.7

v4.2.8

v4.2.9

v5.*

v5.0.0

v5.0.1

v5.0.10

v5.0.2

v5.0.3

v5.0.4

v5.0.5

v5.0.6

v5.0.7

v5.0.8

v5.0.9

v9.*

v9.0.0-pre

v9.0.2-pre