references/openproject
1
0
Fork 0
mirror of https://github.com/opf/openproject.git synced 2026-06-14 03:30:14 +00:00
Code Issues Packages Projects Releases Wiki Activity

Change security fix identifier from GHSA to CVE

Browse Source 
Updated security fix reference from GHSA to CVE.
This commit is contained in:
Oliver Günther
2026-05-15 07:23:04 +02:00
committed by GitHub
parent cc23663705
commit 8e0bb08633
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
docs/release-notes/17-2-4/README.md
+1 -1
View File
@@ -20,7 +20,7 @@ release_date: 2026-05-13
### GHSA-r85r-gjq2-f83r - Docker Container starts with SECRET_KEY_BASE default value
### CVE-2026-46386 - Docker Container starts with SECRET_KEY_BASE default value
When an attacker knew the secret key base that the application used to derive internal keys from, they could construct encrypted cookies that on the server side were decoded using [Object Marshalling](https://docs.ruby-lang.org/en/4.0/Marshal.html) which allowed the attacker to execute almost arbitrary ruby code within the container, up to a complete remote code execution. This was especially present in Docker containers that shipped with a default value as the secret key base, when it was not manually overwritten, as mentioned in the documentation.