Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2023-33960

Good to know:

icon

Date: June 1, 2023

OpenProject is web-based project management software. For any OpenProject installation, a `robots.txt` file is generated through the server to denote which routes shall or shall not be accessed by crawlers. These routes contain project identifiers of all public projects in the instance. Prior to version 12.5.6, even if the entire instance is marked as `Login required` and prevents all truly anonymous access, the `/robots.txt` route remains publicly available. Version 12.5.6 has a fix for this issue. Alternatively, users can download a patchfile to apply the patch to any OpenProject version greater than 10.0 As a workaround, one may mark any public project as non-public and give anyone in need of access to the project a membership.

Language: Ruby

Severity Score

Related Resources (7)

https://community.openproject.org/wp/48324
https://nvd.nist.gov/vuln/detail/CVE-2023-33960
https://github.com/opf/openproject/security/advisories/GHSA-xjfc-fqm3-95q8
https://github.com/opf/openproject/pull/12708
https://github.com/opf/openproject/releases/tag/v12.5.6
https://patch-diff.githubusercontent.com/raw/opf/openproject/pull/12708.patch
https://www.mend.io/vulnerability-database/CVE-2023-33960

Severity Score

Weakness Type (CWE)

Information Leak / Disclosure

CWE-200

Cleartext Transmission of Sensitive Information

CWE-319

Top Fix

icon

Upgrade Version

Upgrade to version v12.5.6

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): HIGH
Integrity (I): NONE
Availability (A): NONE

Do you need more information?

Contact Us