OpenProject contains a critical cache poisoning vulnerability that can lead to Remote Code Execution, necessitating an immediate software update.

The application is susceptible to cache store poisoning. By injecting malicious data into the cache, an attacker can manipulate application logic to execute arbitrary code on the server.

The CVSS score of 9.6 underscores the critical nature of this vulnerability. Remote Code Execution allows attackers to bypass all application-level security, potentially leading to a full compromise of the project management platform, theft of sensitive intellectual property, and unauthorized access to integrated systems and databases.

Immediate Action: Upgrade OpenProject to version 17.3.3, 17.4.1, or later to address the cache poisoning vulnerability.

Proactive Monitoring: Monitor server logs for unusual cache-related errors or unexpected process spawns that could indicate an attempt to leverage cache poisoning for command execution.

Compensating Controls: Utilize a Web Application Firewall (WAF) to filter malicious payloads and limit the exposure of the application's cache-handling interfaces.

Public Exploit Available: Unknown

The ability to achieve Remote Code Execution through cache poisoning makes this a high-priority vulnerability. Security teams should prioritize patching this instance immediately to prevent potential system-wide compromise. Verify that all instances are running the updated versions and audit access logs for any evidence of prior unauthorized activity.