Regular Expression Denial of Service in OpenProject forum messages
CVE-2021-32763

4.3MEDIUM

Key Information:

Vendor: Opf
Status: Openproject
Vendor: CVE Published:; 20 July 2021

What is CVE-2021-32763?

OpenProject is open-source, web-based project management software. In versions prior to 11.3.3, the MessagesController class of OpenProject has a quote method that implements the logic behind the Quote button in the discussion forums, and it uses a regex to strip <pre> tags from the message being quoted. The (.|\s) part can match a space character in two ways, so an unterminated <pre> tag containing n spaces causes Ruby's regex engine to backtrack to try 2n states in the NFA. This will result in a Regular Expression Denial of Service. The issue is fixed in OpenProject 11.3.3. As a workaround, one may install the patch manually.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

openproject < 11.3.3

References

https://github.com/opf/openproject/security/advisories/GH...

x_refsource_CONFIRM

https://github.com/opf/openproject/pull/9447.patch

x_refsource_MISC

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jul 20, 2021
Vulnerability Reserved
May 12, 2021

JSON

Opf

What is CVE-2021-32763?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

Affected Version(s)

References

CVSS V3.1

Timeline

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.