Design/Logic Flaw

2023-06-0117:15:00

PRIOn knowledge base

www.prio-n.com

openproject

robots.txt

version 12.5.6

patch

project identifiers

crawlers

security flaw

web-based

project management

membership

access

0.001 Low

EPSS

Percentile

45.7%

JSON

OpenProject is web-based project management software. For any OpenProject installation, a robots.txt file is generated through the server to denote which routes shall or shall not be accessed by crawlers. These routes contain project identifiers of all public projects in the instance. Prior to version 12.5.6, even if the entire instance is marked as Login required and prevents all truly anonymous access, the /robots.txt route remains publicly available.

Version 12.5.6 has a fix for this issue. Alternatively, users can download a patchfile to apply the patch to any OpenProject version greater than 10.0 As a workaround, one may mark any public project as non-public and give anyone in need of access to the project a membership.

CPENameOperatorVersion
openprojectlt12.5.6

CPE	Name	Operator	Version
	openproject	lt	12.5.6

References

community.openproject.org/wp/48324

github.com/opf/openproject/pull/12708

github.com/opf/openproject/releases/tag/v12.5.6

github.com/opf/openproject/security/advisories/GHSA-xjfc-fqm3-95q8

patch-diff.githubusercontent.com/raw/opf/openproject/pull/12708.patch

0.001 Low

EPSS

Percentile

45.7%

JSON

Related for PRION:CVE-2023-33960