OpenProject is an open-source, web-based project management software. Prior to version 17.2.3, the =n operator in modules/reporting/lib/report/operator.rb:177 embeds user input directly into SQL WHERE clauses without parameterization. This issue has been patched in version 17.2.3.
The vulnerability is located in the file modules/reporting/lib/report/operator.rb (line 177), where the =n operator constructs SQL queries by directly embedding user data into the WHERE clause without using parameterization mechanisms (prepared statements). An authenticated user can provide specially crafted input data that will be interpreted as part of an SQL command. The network attack vector (AV:N) with low privileges (PR:L) and no user interaction (UI:N) means that only having an account in the application is sufficient to carry out the attack.
An attacker can gain unauthorized access to data stored in the database, modify or delete project information, and due to the changed scope (S:C), the impact may extend beyond the application itself. The vulnerability poses a high impact on system integrity and availability, as well as partial impact on data confidentiality.
OpenProject should be updated to version 17.2.3 or later, in which the vulnerability has been removed. The patch is available in the official GitHub repository at https://github.com/opf/openproject/releases/tag/v17.2.3. Until the update is applied, it is recommended to restrict access to the reporting module only to trusted users.
OpenProject in versions prior to 17.2.3 (all installations based on the reporting module containing the vulnerable =n operator).
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:HOpenproject
APPOpenproject< 17.2.3
Related vulnerabilities
Stored XSS w module Repositories aplikacji OpenProject
SQL Injection w OpenProject umożliwiający zdalne wykonanie kodu Ruby
OpenProject: command injection w endpointcie repozytorium prowadzący do RCE
OpenProject: command injection w endpoincie diff repozytorium (zapis dowolnych plików)
OpenProject — odczyt lokalnych plików przez SVG/ImageMagick przy eksporcie PDF