CVE-2021-43830

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2021-43830

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-43830.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2021-43830

Aliases

BIT-openproject-2021-43830

Related

GHSA-f565-3whr-6m96

Published

2021-12-14T20:15:07.813Z

Modified

2026-03-19T12:45:32.929289Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

OpenProject is a web-based project management software. OpenProject versions >= 12.0.0 are vulnerable to a SQL injection in the budgets module. For authenticated users with the "Edit budgets" permission, the request to reassign work packages to another budget unsufficiently sanitizes user input in the reassign_to_id parameter. The vulnerability has been fixed in version 12.0.4. Versions prior to 12.0.0 are not affected. If you're upgrading from an older version, ensure you are upgrading to at least version 12.0.4. If you are unable to upgrade in a timely fashion, the following patch can be applied: https://github.com/opf/openproject/pull/9983.patch

References

Affected packages

Git / github.com/opf/openproject

Affected ranges

Type

GIT

Repo

https://github.com/opf/openproject

Events

Introduced

ad3df7f724e812a4f3804f59454984fcf15f79b3

Fixed

aa0813030c9f9654e808f61b3f914d2b2e6086a5

Database specific

{
    "versions": [
        {
            "introduced": "12.0.0"
        },
        {
            "fixed": "12.0.4"
        }
    ]
}

Affected versions

v12.*

v12.0.0

v12.0.1

v12.0.2

v12.0.3

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-43830.json"