OpenProject SQL Injection Vulnerability Leading to Remote Code Execution

A critical SQL injection vulnerability has been identified in OpenProject versions prior to 16.6.9, 17.0.6, 17.1.3, and 17.2.1. The vulnerability arises when a custom field's name is used in a Cost Report, allowing an attacker to inject arbitrary SQL commands into the query. This exploitation is possible because the custom field names are not properly sanitized. Although the attack surface is limited to users with full administrator privileges, this vulnerability can be chained with another issue in the Repositories module, which improperly sanitizes project identifiers. This combination could allow an attacker to execute Ruby code within the OpenProject application.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can execute arbitrary SQL commands. This could potentially lead to unauthorized data access or manipulation. When combined with another vulnerability in the Repositories module, it could result in remote code execution by injecting Ruby code into the application.

Remediation

Users can upgrade to OpenProject versions 16.6.9, 17.0.6, 17.1.3, or 17.2.1 to address this vulnerability.