references/openproject
1
0
Fork 0
mirror of https://github.com/opf/openproject.git synced 2026-06-13 19:20:00 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'origin/release/17.3' into release/17.4

Browse Source
This commit is contained in:
Oliver Günther
2026-06-08 10:02:38 +02:00
parent 0c91f16401 769063cf4b
commit c59cd7bac9
2 changed files with 87 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
docs/release-notes/17-3-3/README.md
+80
View File
@@ -0,0 +1,80 @@
---
title: OpenProject 17.3.3
sidebar_navigation:
title: 17.3.3
release_version: 17.3.3
release_date: 2026-06-08
---
# OpenProject 17.3.3
Release date: 2026-06-08
We released [OpenProject 17.3.3](https://community.openproject.org/versions/2299).
The release contains several bug fixes and we recommend updating to the newest version.
Below you will find a complete list of all changes and bug fixes.
<!-- BEGIN SECURITY FIXES AUTOMATED SECTION -->
## Security fixes
### CVE-2026-47193 - Journal diff endpoint bypasses object, journal, and field visibility checks
This vulnerability was reported as part of the [YesWeHack.com OpenProject Bug Bounty program](https://yeswehack.com/programs/openproject), sponsored by the European Commission.
For more information, please see the [GitHub advisory #GHSA-f2rx-x2qj-2hgj](https://github.com/opf/openproject/security/advisories/GHSA-f2rx-x2qj-2hgj)
### GHSA-3vpx-94qx-xpw6 - IDOR through /projects/<A>/settings/project_storages/<A_ps_id> via PATCH parameter "storages_project_storage[project_folder_id]" leads to Access to Unauthorized Resources
A project-admin in one project can hijack the managed Nextcloud or OneDrive folder of another project on the same storage by writing the victim project&#39;s `project_folder_id` into the attacker&#39;s `Storages::ProjectStorage` row. The next managed-folder sync overwrites the ACL on the referenced folder with the attacker project&#39;s user list.
This vulnerability was reported as part of the [YesWeHack.com OpenProject Bug Bounty program](https://yeswehack.com/programs/openproject), sponsored by the European Commission.
For more information, please see the [GitHub advisory #GHSA-3vpx-94qx-xpw6](https://github.com/opf/openproject/security/advisories/GHSA-3vpx-94qx-xpw6)
### GHSA-6crw-7f5r-4qj9 - CSRF on TARGET through /users/:id via POST parameter "user[admin]"
Turbo Drive auto-injects CSRF tokens (from `<meta name="csrf-token">`) on forms injected via the XSS&#39;s `append` Turbo Stream action. A second action, `dispatch_event` with `name="submit"`, auto-submits the form with no victim interaction beyond viewing the work package, resulting in a CSRF attack
This vulnerability was reported as part of the [YesWeHack.com OpenProject Bug Bounty program](https://yeswehack.com/programs/openproject), sponsored by the European Commission.
For more information, please see the [GitHub advisory #GHSA-6crw-7f5r-4qj9](https://github.com/opf/openproject/security/advisories/GHSA-6crw-7f5r-4qj9)
### GHSA-98vw-2r87-fx2r - SQL injection in timestamps functionality
OpenProject baseline comparison allows callers to request historic work-package attributes using the `timestamps` parameter.
The timestamp parser accepts a relative date keyword on the first line because its regular expression uses line anchors. The parser validates the input, but the original multi-line string is kept and later interpolated into a raw SQL `CASE ... THEN '<timestamp>'` expression.
An authenticated user who can save a query can persist a timestamp array value containing literal commas and trigger a top-level data-modifying CTE. This gives the attacker a generic database write primitive as the OpenProject application database role.
The demonstrated impact is administrator privilege escalation: the attacker uses that write primitive to update their own account record, setting the account&#39;s administrator flag to true. The same injection also allows in-band data disclosure through work-package timestamp metadata.
This vulnerability was reported as part of the [YesWeHack.com OpenProject Bug Bounty program](https://yeswehack.com/programs/openproject), sponsored by the European Commission.
For more information, please see the [GitHub advisory #GHSA-98vw-2r87-fx2r](https://github.com/opf/openproject/security/advisories/GHSA-98vw-2r87-fx2r)
### GHSA-h83w-5q5x-pq27 - Information Disclosure (cleartext storage of data) on localhost through memcached via Others "storage.<id>.httpx_access_token" leads to Sensitive Data Exposure
OpenProject&#39;s Storages module writes the OneDrive/SharePoint userless OAuth `access_token` plaintext to `Rails.cache` under the deterministic key `storage.<id>.httpx_access_token`, repopulated continuously by an hourly cron and every userless-OAuth call site (see Write cadence). None of the three allowed cache backends (`file_store`, `memcache`, `redis`) encrypts at rest. An attacker with read access to the cache backend recovers the Azure-AD application-tier bearer with an anonymous `get` over the memcached binary protocol (or the equivalent against Redis)
This vulnerability was reported as part of the [YesWeHack.com OpenProject Bug Bounty program](https://yeswehack.com/programs/openproject), sponsored by the European Commission.
For more information, please see the [GitHub advisory #GHSA-h83w-5q5x-pq27](https://github.com/opf/openproject/security/advisories/GHSA-h83w-5q5x-pq27)
### GHSA-q33w-f822-hg8x - Stored XSS on openproject.example.com through /api/v3/projects/{project}/work_packages via POST parameter "description"
The HTML sanitizer grants `<macro>` elements unrestricted `data-*` attributes via `:data` wildcard. An attacker injects `data-controller="poll-for-changes"` into a work package description, causing Stimulus.js to mount a controller that fetches an attacker-uploaded attachment and passes it to `renderStreamMessage()`. This executes arbitrary Turbo Stream actions — including `redirect_to` — in every victim&#39;s authenticated browser session, redirecting them to an attacker-controlled server.
This vulnerability was reported as part of the [YesWeHack.com OpenProject Bug Bounty program](https://yeswehack.com/programs/openproject), sponsored by the European Commission.
For more information, please see the [GitHub advisory #GHSA-q33w-f822-hg8x](https://github.com/opf/openproject/security/advisories/GHSA-q33w-f822-hg8x)
### GHSA-qj96-f42f-6336 - Cache store poisoning leads to Remote Code Execution (RCE)
This vulnerability was reported as part of the [YesWeHack.com OpenProject Bug Bounty program](https://yeswehack.com/programs/openproject), sponsored by the European Commission.
For more information, please see the [GitHub advisory #GHSA-qj96-f42f-6336](https://github.com/opf/openproject/security/advisories/GHSA-qj96-f42f-6336)
<!-- END SECURITY FIXES AUTOMATED SECTION -->
<!--more-->
## Bug fixes and changes
<!-- Warning: Anything within the below lines will be automatically removed by the release script -->
<!-- BEGIN AUTOMATED SECTION -->
<!-- END AUTOMATED SECTION -->
<!-- Warning: Anything above this line will be automatically removed by the release script -->
docs/release-notes/README.md
+7
View File
@@ -13,6 +13,13 @@ Stay up to date and get an overview of the new features included in the releases
<!--- New release notes are generated below. Do not remove comment. -->
<!--- RELEASE MARKER -->
## 17.3.3
Release date: 2026-06-08
[Release Notes](17-3-3/)
## 17.4.0
Release date: 2026-05-13