A critical SQL injection and path traversal chain in OpenProject allows authenticated administrators to escalate privileges and execute arbitrary Ruby code on the host server.

This vulnerability involves an SQL injection within the Cost Report generation feature via unsanitized custom field names. While the initial vector requires administrator privileges, it can be chained with a repository module flaw to write a git repository to an arbitrary path, leading to remote code execution (RCE).

A successful exploit allows for the complete compromise of the OpenProject application and the underlying server infrastructure. Given the CVSS score of 9.1, the risk is critical as it enables attackers to execute arbitrary code, potentially leading to the theft of sensitive project data, intellectual property, and total system downtime. The ability to inject Ruby code signifies a total loss of integrity and confidentiality for the affected environment.

Immediate Action: Administrators must immediately upgrade OpenProject installations to versions 16.6.9, 17.0.6, 17.1.3, 17.2.1, or later to patch the underlying injection vulnerabilities.

Proactive Monitoring: Monitor application logs for unusual SQL syntax in Cost Report queries and inspect the filesystem for unauthorized git repository checkouts in non-standard directories.

Compensating Controls: Restrict administrative access to trusted personnel only and implement strict network-level egress filtering to prevent the server from connecting to malicious external git repositories.

Public Exploit Available: false

The severity of this vulnerability cannot be overstated, as it provides a direct path from application-level access to host-level code execution. Organizations using OpenProject should prioritize the application of the vendor-provided patches immediately to mitigate the risk of a full-scale server breach.