CVE-2021-32763
Regular Expression Denial of Service in OpenProject forum messages
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
OpenProject is open-source, web-based project management software. In versions prior to 11.3.3, the `MessagesController` class of OpenProject has a `quote` method that implements the logic behind the Quote button in the discussion forums, and it uses a regex to strip `<pre>` tags from the message being quoted. The `(.|\s)` part can match a space character in two ways, so an unterminated `<pre>` tag containing `n` spaces causes Ruby's regex engine to backtrack to try 2<sup>n</sup> states in the NFA. This will result in a Regular Expression Denial of Service. The issue is fixed in OpenProject 11.3.3. As a workaround, one may install the patch manually.
OpenProject es un software de administración de proyectos de código abierto basado en la web. En versiones anteriores a 11.3.3, la clase "MessagesController" de OpenProject presenta un método "quote" que implementa la lógica detrás del botón Quote en los foros de discusión, y usa una regex para eliminar las etiquetas "(pre)" del mensaje que se está citando. La parte "(.|\s)" puede coincidir con un carácter de espacio de dos maneras, por lo que una etiqueta "(pre)" no terminada que contenga "n" espacios causa que el motor regex de Ruby retroceda para intentar 2(sup)n(/sup) estados en el NFA. Esto resultaría en una Denegación de Servicio de Expresión Regular. El problema es corregido en OpenProject versión11.3.3. Como solución, se puede instalar el parche manualmente
CVSS Scores
SSVC
- Decision:-
Timeline
- 2021-05-12 CVE Reserved
- 2021-07-20 CVE Published
- 2023-03-08 EPSS Updated
- 2024-08-03 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-400: Uncontrolled Resource Consumption
CAPEC
References (2)
URL | Tag | Source |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://github.com/opf/openproject/pull/9447.patch | 2022-04-25 | |
https://github.com/opf/openproject/security/advisories/GHSA-qqvp-j6gm-q56f | 2022-04-25 |
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Openproject Search vendor "Openproject" | Openproject Search vendor "Openproject" for product "Openproject" | < 11.3.3 Search vendor "Openproject" for product "Openproject" and version " < 11.3.3" | - |
Affected
|