From 96d594727903bbe96043ef17a308dcb35f4b10fb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Oliver=20G=C3=BCnther?= Date: Mon, 8 Jun 2026 09:59:54 +0200 Subject: [PATCH] Update security fixes --- docs/release-notes/17-3-3/README.md | 80 +++++++++++++++++++++++++++++ 1 file changed, 80 insertions(+) create mode 100644 docs/release-notes/17-3-3/README.md diff --git a/docs/release-notes/17-3-3/README.md b/docs/release-notes/17-3-3/README.md new file mode 100644 index 00000000000..4b185833b06 --- /dev/null +++ b/docs/release-notes/17-3-3/README.md @@ -0,0 +1,80 @@ +--- +title: OpenProject 17.3.3 +sidebar_navigation: + title: 17.3.3 +release_version: 17.3.3 +release_date: 2026-06-08 +--- + +# OpenProject 17.3.3 + +Release date: 2026-06-08 + +We released [OpenProject 17.3.3](https://community.openproject.org/versions/2299). +The release contains several bug fixes and we recommend updating to the newest version. +Below you will find a complete list of all changes and bug fixes. + +## Security fixes + +### CVE-2026-47193 - Journal diff endpoint bypasses object, journal, and field visibility checks +This vulnerability was reported as part of the [YesWeHack.com OpenProject Bug Bounty program](https://yeswehack.com/programs/openproject), sponsored by the European Commission. + +For more information, please see the [GitHub advisory #GHSA-f2rx-x2qj-2hgj](https://github.com/opf/openproject/security/advisories/GHSA-f2rx-x2qj-2hgj) + +### GHSA-3vpx-94qx-xpw6 - IDOR through /projects//settings/project_storages/ via PATCH parameter "storages_project_storage[project_folder_id]" leads to Access to Unauthorized Resources +A project-admin in one project can hijack the managed Nextcloud or OneDrive folder of another project on the same storage by writing the victim project's `project_folder_id` into the attacker's `Storages::ProjectStorage` row. The next managed-folder sync overwrites the ACL on the referenced folder with the attacker project's user list. + +This vulnerability was reported as part of the [YesWeHack.com OpenProject Bug Bounty program](https://yeswehack.com/programs/openproject), sponsored by the European Commission. + +For more information, please see the [GitHub advisory #GHSA-3vpx-94qx-xpw6](https://github.com/opf/openproject/security/advisories/GHSA-3vpx-94qx-xpw6) + +### GHSA-6crw-7f5r-4qj9 - CSRF on TARGET through /users/:id via POST parameter "user[admin]" +Turbo Drive auto-injects CSRF tokens (from ``) on forms injected via the XSS's `append` Turbo Stream action. A second action, `dispatch_event` with `name="submit"`, auto-submits the form with no victim interaction beyond viewing the work package, resulting in a CSRF attack + +This vulnerability was reported as part of the [YesWeHack.com OpenProject Bug Bounty program](https://yeswehack.com/programs/openproject), sponsored by the European Commission. + +For more information, please see the [GitHub advisory #GHSA-6crw-7f5r-4qj9](https://github.com/opf/openproject/security/advisories/GHSA-6crw-7f5r-4qj9) + +### GHSA-98vw-2r87-fx2r - SQL injection in timestamps functionality +OpenProject baseline comparison allows callers to request historic work-package attributes using the `timestamps` parameter. + +The timestamp parser accepts a relative date keyword on the first line because its regular expression uses line anchors. The parser validates the input, but the original multi-line string is kept and later interpolated into a raw SQL `CASE ... THEN ''` expression. + +An authenticated user who can save a query can persist a timestamp array value containing literal commas and trigger a top-level data-modifying CTE. This gives the attacker a generic database write primitive as the OpenProject application database role. + +The demonstrated impact is administrator privilege escalation: the attacker uses that write primitive to update their own account record, setting the account's administrator flag to true. The same injection also allows in-band data disclosure through work-package timestamp metadata. + +This vulnerability was reported as part of the [YesWeHack.com OpenProject Bug Bounty program](https://yeswehack.com/programs/openproject), sponsored by the European Commission. + +For more information, please see the [GitHub advisory #GHSA-98vw-2r87-fx2r](https://github.com/opf/openproject/security/advisories/GHSA-98vw-2r87-fx2r) + +### GHSA-h83w-5q5x-pq27 - Information Disclosure (cleartext storage of data) on localhost through memcached via Others "storage..httpx_access_token" leads to Sensitive Data Exposure +OpenProject's Storages module writes the OneDrive/SharePoint userless OAuth `access_token` plaintext to `Rails.cache` under the deterministic key `storage..httpx_access_token`, repopulated continuously by an hourly cron and every userless-OAuth call site (see Write cadence). None of the three allowed cache backends (`file_store`, `memcache`, `redis`) encrypts at rest. An attacker with read access to the cache backend recovers the Azure-AD application-tier bearer with an anonymous `get` over the memcached binary protocol (or the equivalent against Redis) + +This vulnerability was reported as part of the [YesWeHack.com OpenProject Bug Bounty program](https://yeswehack.com/programs/openproject), sponsored by the European Commission. + +For more information, please see the [GitHub advisory #GHSA-h83w-5q5x-pq27](https://github.com/opf/openproject/security/advisories/GHSA-h83w-5q5x-pq27) + +### GHSA-q33w-f822-hg8x - Stored XSS on openproject.example.com through /api/v3/projects/{project}/work_packages via POST parameter "description" +The HTML sanitizer grants `` elements unrestricted `data-*` attributes via `:data` wildcard. An attacker injects `data-controller="poll-for-changes"` into a work package description, causing Stimulus.js to mount a controller that fetches an attacker-uploaded attachment and passes it to `renderStreamMessage()`. This executes arbitrary Turbo Stream actions — including `redirect_to` — in every victim's authenticated browser session, redirecting them to an attacker-controlled server. + +This vulnerability was reported as part of the [YesWeHack.com OpenProject Bug Bounty program](https://yeswehack.com/programs/openproject), sponsored by the European Commission. + +For more information, please see the [GitHub advisory #GHSA-q33w-f822-hg8x](https://github.com/opf/openproject/security/advisories/GHSA-q33w-f822-hg8x) + +### GHSA-qj96-f42f-6336 - Cache store poisoning leads to Remote Code Execution (RCE) +This vulnerability was reported as part of the [YesWeHack.com OpenProject Bug Bounty program](https://yeswehack.com/programs/openproject), sponsored by the European Commission. + +For more information, please see the [GitHub advisory #GHSA-qj96-f42f-6336](https://github.com/opf/openproject/security/advisories/GHSA-qj96-f42f-6336) + + + + +## Bug fixes and changes + + + + + + +