CVE-2023-33960 – OpenProject's robots.txt file publicly exposes ... (How to Fix)

Q: What is the severity of CVE-2023-33960?

CVE-2023-33960 has a CVSS score of 7.5 (HIGH). OpenProject's robots.txt file publicly exposes project identifiers even when the entire instance is configured to require login. This information disclosure vulnerability affects all OpenProject installations with public projects, allowing attackers to enumerate project structure without authentication.

📋 TL;DR

OpenProject's robots.txt file publicly exposes project identifiers even when the entire instance is configured to require login. This information disclosure vulnerability affects all OpenProject installations with public projects, allowing attackers to enumerate project structure without authentication.

💻 Affected Systems

Products:

OpenProject

Versions: All versions prior to 12.5.6

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects instances with public projects. If all projects are private, the vulnerability still exists but exposes no data.

📦 What is this software?

Openproject by Openproject

View all CVEs affecting Openproject →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could map all public projects in an organization, potentially identifying sensitive project names or structures that could be used for targeted attacks or social engineering.

🟠

Likely Case

Information leakage revealing project names, identifiers, and organizational structure that should remain private in login-required instances.

🟢

If Mitigated

No information disclosure - robots.txt properly respects login-required configuration and doesn't expose project data.

🌐 Internet-Facing: HIGH - The vulnerability is in a publicly accessible file that web crawlers and attackers can easily retrieve without authentication.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could still exploit this to gather project information they shouldn't have access to.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only HTTP GET request to /robots.txt. No special tools or authentication needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 12.5.6

Vendor Advisory: https://github.com/opf/openproject/security/advisories/GHSA-xjfc-fqm3-95q8

Restart Required: Yes

Instructions:

1. Upgrade OpenProject to version 12.5.6 or later. 2. Alternatively, apply the patch from GitHub PR #12708 to versions 10.0+. 3. Restart the OpenProject service.

🔧 Temporary Workarounds

Mark all projects as non-public

all

Change all public projects to non-public and grant access only to authorized users via project membership

OpenProject web interface: Project Settings > Visibility > Set to 'Non-public'

🧯 If You Can't Patch

Implement web application firewall rules to block access to /robots.txt for unauthenticated users
Configure reverse proxy to intercept and modify/block robots.txt responses

🔍 How to Verify

Check if Vulnerable:

Access http://your-openproject-instance/robots.txt without authentication. If it returns project identifiers and your instance requires login, you are vulnerable.

Check Version:

Check OpenProject version in web interface or via command: openproject run bundle exec rails runner 'puts OpenProject::VERSION.to_s'

Verify Fix Applied:

After patching, robots.txt should return empty or generic content when accessed without authentication in login-required instances.

📡 Detection & Monitoring

Log Indicators:

Multiple GET requests to /robots.txt from unauthenticated IPs
Unusual crawler/bot activity patterns

Network Indicators:

Unusual traffic to /robots.txt endpoint
External IPs accessing robots.txt without subsequent authentication

SIEM Query:

source="openproject" AND path="/robots.txt" AND status=200 AND NOT user_agent="*bot*"

📊 Metadata

CVE ID: CVE-2023-33960

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-200

Published: June 1, 2023

Last Updated: November 21, 2024

🔗 References

https://community.openproject.org/wp/48324 Permissions Required
https://github.com/opf/openproject/pull/12708 Patch
https://github.com/opf/openproject/releases/tag/v12.5.6 Release Notes
https://github.com/opf/openproject/security/advisories/GHSA-xjfc-fqm3-95q8 Vendor Advisory
https://patch-diff.githubusercontent.com/raw/opf/openproject/pull/12708.patch Mailing List,Patch
https://community.openproject.org/wp/48324 Permissions Required
https://github.com/opf/openproject/pull/12708 Patch
https://github.com/opf/openproject/releases/tag/v12.5.6 Release Notes
https://github.com/opf/openproject/security/advisories/GHSA-xjfc-fqm3-95q8 Vendor Advisory
https://patch-diff.githubusercontent.com/raw/opf/openproject/pull/12708.patch Mailing List,Patch

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-33960, you might also want to check these: