CVE-2021-43830 - OpenCVE

OpenProject is a web-based project management software. OpenProject versions >= 12.0.0 are vulnerable to a SQL injection in the budgets module. For authenticated users with the "Edit budgets" permission, the request to reassign work packages to another budget unsufficiently sanitizes user input in the `reassign_to_id` parameter. The vulnerability has been fixed in version 12.0.4. Versions prior to 12.0.0 are not affected. If you're upgrading from an older version, ensure you are upgrading to at least version 12.0.4. If you are unable to upgrade in a timely fashion, the following patch can be applied: https://github.com/opf/openproject/pull/9983.patch

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:S/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Openproject	Openproject

Configuration 1 [-]

cpe:2.3:a:openproject:openproject:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/opf/openproject/pull/9983
https://github.com/opf/openproject/pull/9983.patch
https://github.com/opf/openproject/releases/tag/v12.0.4
https://github.com/opf/openproject/security/advisories/GHSA-f565-3whr-6m96

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2021-12-14T19:25:12

Updated: 2024-08-04T04:10:15.747Z

Reserved: 2021-11-16T00:00:00

Link: CVE-2021-43830

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-12-14T20:15:07.813

Modified: 2021-12-20T16:47:26.213

Link: CVE-2021-43830

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "openproject", "vendor": "opf", "versions": [{"status": "affected", "version": ">= 12.0.0, < 12.0.4"}]}], "descriptions": [{"lang": "en", "value": "OpenProject is a web-based project management software. OpenProject versions >= 12.0.0 are vulnerable to a SQL injection in the budgets module. For authenticated users with the \"Edit budgets\" permission, the request to reassign work packages to another budget unsufficiently sanitizes user input in the `reassign_to_id` parameter. The vulnerability has been fixed in version 12.0.4. Versions prior to 12.0.0 are not affected. If you're upgrading from an older version, ensure you are upgrading to at least version 12.0.4. If you are unable to upgrade in a timely fashion, the following patch can be applied: https://github.com/opf/openproject/pull/9983.patch"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-12-14T19:25:12", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/opf/openproject/security/advisories/GHSA-f565-3whr-6m96"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/opf/openproject/pull/9983"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/opf/openproject/pull/9983.patch"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/opf/openproject/releases/tag/v12.0.4"}], "source": {"advisory": "GHSA-f565-3whr-6m96", "discovery": "UNKNOWN"}, "title": "SQL injection in OpenProject", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-43830", "STATE": "PUBLIC", "TITLE": "SQL injection in OpenProject"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "openproject", "version": {"version_data": [{"version_value": ">= 12.0.0, < 12.0.4"}]}}]}, "vendor_name": "opf"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "OpenProject is a web-based project management software. OpenProject versions >= 12.0.0 are vulnerable to a SQL injection in the budgets module. For authenticated users with the \"Edit budgets\" permission, the request to reassign work packages to another budget unsufficiently sanitizes user input in the `reassign_to_id` parameter. The vulnerability has been fixed in version 12.0.4. Versions prior to 12.0.0 are not affected. If you're upgrading from an older version, ensure you are upgrading to at least version 12.0.4. If you are unable to upgrade in a timely fashion, the following patch can be applied: https://github.com/opf/openproject/pull/9983.patch"}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}]}, "references": {"reference_data": [{"name": "https://github.com/opf/openproject/security/advisories/GHSA-f565-3whr-6m96", "refsource": "CONFIRM", "url": "https://github.com/opf/openproject/security/advisories/GHSA-f565-3whr-6m96"}, {"name": "https://github.com/opf/openproject/pull/9983", "refsource": "MISC", "url": "https://github.com/opf/openproject/pull/9983"}, {"name": "https://github.com/opf/openproject/pull/9983.patch", "refsource": "MISC", "url": "https://github.com/opf/openproject/pull/9983.patch"}, {"name": "https://github.com/opf/openproject/releases/tag/v12.0.4", "refsource": "MISC", "url": "https://github.com/opf/openproject/releases/tag/v12.0.4"}]}, "source": {"advisory": "GHSA-f565-3whr-6m96", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T04:10:15.747Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/opf/openproject/security/advisories/GHSA-f565-3whr-6m96"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/opf/openproject/pull/9983"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/opf/openproject/pull/9983.patch"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/opf/openproject/releases/tag/v12.0.4"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-43830", "datePublished": "2021-12-14T19:25:12", "dateReserved": "2021-11-16T00:00:00", "dateUpdated": "2024-08-04T04:10:15.747Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openproject:openproject:*:*:*:*:*:*:*:*", "matchCriteriaId": "0DB8D80E-6001-4F98-98AE-4E96A774E4A7", "versionEndExcluding": "12.0.4", "versionStartIncluding": "12.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenProject is a web-based project management software. OpenProject versions >= 12.0.0 are vulnerable to a SQL injection in the budgets module. For authenticated users with the \"Edit budgets\" permission, the request to reassign work packages to another budget unsufficiently sanitizes user input in the `reassign_to_id` parameter. The vulnerability has been fixed in version 12.0.4. Versions prior to 12.0.0 are not affected. If you're upgrading from an older version, ensure you are upgrading to at least version 12.0.4. If you are unable to upgrade in a timely fashion, the following patch can be applied: https://github.com/opf/openproject/pull/9983.patch"}, {"lang": "es", "value": "OpenProject es un software de administraci\u00f3n de proyectos basado en la web. OpenProject versiones posteriores a 12.0.0 incluy\u00e9ndola, son vulnerables a una inyecci\u00f3n SQL en el m\u00f3dulo budgets. Para los usuarios autenticados con el permiso \"Edit budgets\", la petici\u00f3n para reasignar paquetes de trabajo a otro presupuesto no sanea suficientemente la entrada del usuario en el par\u00e1metro \"reassign_to_id\". La vulnerabilidad ha sido corregida en la versi\u00f3n 12.0.4. Las versiones anteriores a la 12.0.0 no est\u00e1n afectadas. Si est\u00e1 actualizando desde una versi\u00f3n anterior, aseg\u00farese de que est\u00e1 actualizando al menos a la versi\u00f3n 12.0.4. Si no puede actualizar a tiempo, puede aplicar el siguiente parche: https://github.com/opf/openproject/pull/9983.patch"}], "id": "CVE-2021-43830", "lastModified": "2021-12-20T16:47:26.213", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 3.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2021-12-14T20:15:07.813", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/opf/openproject/pull/9983"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/opf/openproject/pull/9983.patch"}, {"source": "security-advisories@github.com", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/opf/openproject/releases/tag/v12.0.4"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/opf/openproject/security/advisories/GHSA-f565-3whr-6m96"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security-advisories@github.com", "type": "Primary"}]}