OpenProject has Argument Injection on Repository module that allows Arbitrary File Write

OpenProject is an open-source, web-based project management software. Versions prior to 16.6.6 and 17.0.2 have an arbitrary file write vulnerability in OpenProject’s repository diff download endpoint (`/projects/:project_id/repository/diff.diff`) when rendering a single revision via git show. By supplying a specially crafted rev value (for example, `rev=--output=/tmp/poc.txt)`, an attacker can inject git show command-line options. When OpenProject executes the SCM command, Git interprets the attacker-controlled rev as an option and writes the output to an attacker-chosen path. As a result, any user with the `:browse_repository` permission on the project can create or overwrite arbitrary files that the OpenProject process user is permitted to write. The written contents consist of git show output (commit metadata and patch), but overwriting application or configuration files still leads to data loss and denial of service, impacting integrity and availability. The issue has been fixed in OpenProject 17.0.2 and 16.6.6.

N/A

在命令中使用的特殊元素转义处理不恰当(命令注入)

OpenProject 命令注入漏洞

OpenProject是OpenProject开源的一个基于Web的项目管理软件。 OpenProject 16.6.6之前版本和17.0.2之前版本存在命令注入漏洞，该漏洞源于仓库差异下载端点存在任意文件写入，可能导致数据丢失和拒绝服务。

N/A

N/A