Impact
For any OpenProject installation, a robots.txt file is generated through the server to denote which routes shall or shall not be accessed by crawlers. These routes contain project identifiers of all public projects in the instance. Even if the entire instance is marked as "Login required" and prevents all truly anonymous access, the /robots.txt route remains publicly available.
Patches
You can download the following patchfile to apply the patch to any OpenProject version > 10.0: https://patch-diff.githubusercontent.com/raw/opf/openproject/pull/12708.patch
Workarounds
Mark any public project as non-public for the time being and give anyone in need of access to the project a membership.
References
Credits
This security issue was responsibly disclosed by an OpenProject user. Thank you for reaching out to us and your help in identifying this issue. If you have a security vulnerability you would like to disclose, please see our statement on security.
Impact
For any OpenProject installation, a robots.txt file is generated through the server to denote which routes shall or shall not be accessed by crawlers. These routes contain project identifiers of all public projects in the instance. Even if the entire instance is marked as "Login required" and prevents all truly anonymous access, the /robots.txt route remains publicly available.
Patches
You can download the following patchfile to apply the patch to any OpenProject version > 10.0: https://patch-diff.githubusercontent.com/raw/opf/openproject/pull/12708.patch
Workarounds
Mark any public project as non-public for the time being and give anyone in need of access to the project a membership.
References
Credits
This security issue was responsibly disclosed by an OpenProject user. Thank you for reaching out to us and your help in identifying this issue. If you have a security vulnerability you would like to disclose, please see our statement on security.