CVE-2023-33960

EPSS 1.27%
Veröffentlicht 01.06.2023 17:15:10
Zuletzt bearbeitet 21.11.2024 08:06:17
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

OpenProject vulnerable to project identifier information leakage through robots.txt

OpenProject is web-based project management software. For any OpenProject installation, a `robots.txt` file is generated through the server to denote which routes shall or shall not be accessed by crawlers. These routes contain project identifiers of all public projects in the instance. Prior to version 12.5.6, even if the entire instance is marked as `Login required` and prevents all truly anonymous access, the `/robots.txt` route remains publicly available.

Version 12.5.6 has a fix for this issue. Alternatively, users can download a patchfile to apply the patch to any OpenProject version greater than 10.0 As a workaround, one may mark any public project as non-public and give anyone in need of access to the project a membership.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 8

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Openproject ≫ Openproject Version < 12.5.6

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	1.27%	0.659

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
security-advisories@github.com	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

CWE-319 Cleartext Transmission of Sensitive Information

The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.

https://community.openproject.org/wp/48324

Permissions Required

https://github.com/opf/openproject/pull/12708

Patch

https://github.com/opf/openproject/releases/tag/v12.5.6

Release Notes

https://github.com/opf/openproject/security/advisories/GHSA-xjfc-fqm3-95q8

Vendor Advisory

https://patch-diff.githubusercontent.com/raw/opf/openproject/pull/12708.patch

Patch

Mailing List

https://nvd.nist.gov/vuln/detail/CVE-2023-33960

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-33960

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-33960

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2023-33960