CVE-2024-41801 – OpenProject versions before 14.3.0 are vulnerab... (How to Fix)

Q: What is the severity of CVE-2024-41801?

CVE-2024-41801 has a CVSS score of 4.7 (MEDIUM). OpenProject versions before 14.3.0 are vulnerable to host header injection, allowing attackers to forge HOST headers to redirect users to malicious sites for phishing attacks. This affects default packaged installations using Apache without additional security configurations. Users with 'Login required' enabled are particularly at risk.

📋 TL;DR

OpenProject versions before 14.3.0 are vulnerable to host header injection, allowing attackers to forge HOST headers to redirect users to malicious sites for phishing attacks. This affects default packaged installations using Apache without additional security configurations. Users with 'Login required' enabled are particularly at risk.

💻 Affected Systems

Products:

OpenProject

Versions: All versions prior to 14.3.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects default packaged installations on Apache without mod_security, custom hostname configuration, or fallthrough VirtualHost. Also affects other installations without proper HOST/X-Forwarded-Host header validation.

📦 What is this software?

Openproject by Openproject

View all CVEs affecting Openproject →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Successful phishing attack leading to credential theft, account compromise, and potential lateral movement within the project management system.

🟠

Likely Case

Phishing attempts against OpenProject users, potentially capturing login credentials or session tokens.

🟢

If Mitigated

No impact when proper host header validation is in place or when using upgraded versions.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires network access to the OpenProject instance and knowledge of the vulnerability. No authentication needed to initiate the attack.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 14.3.0

Vendor Advisory: https://github.com/opf/openproject/security/advisories/GHSA-g92v-vrq6-4fpw

Restart Required: Yes

Instructions:

1. Upgrade OpenProject to version 14.3.0 or later. 2. Restart the OpenProject service. 3. Verify the upgrade was successful by checking the version.

🔧 Temporary Workarounds

Apply mod_security rules

linux

Configure Apache mod_security to validate and sanitize HOST and X-Forwarded-Host headers

# Configure mod_security rules to validate host headers
# Example: SecRule REQUEST_HEADERS:HOST "!@rx ^your-domain\.com$" "deny,status:403"

Manual patch application

all

Apply the host-protection.patch to previous OpenProject versions

# Download patch: https://github.com/user-attachments/files/16371759/host-protection.patch
# Apply: patch -p1 < host-protection.patch

🧯 If You Can't Patch

Implement reverse proxy with strict host header validation
Configure WAF to block forged HOST headers

🔍 How to Verify

Check if Vulnerable:

Check if OpenProject version is below 14.3.0 and if default Apache configuration is used without host header protections.

Check Version:

openproject run bundle exec rails runner 'puts OpenProject::VERSION.to_s'

Verify Fix Applied:

Verify OpenProject version is 14.3.0 or higher and test that forged HOST headers are rejected.

📡 Detection & Monitoring

Log Indicators:

Unusual redirect patterns
Requests with mismatched HOST headers
Failed host validation attempts

Network Indicators:

HTTP requests with forged HOST headers
Redirects to external domains from OpenProject

SIEM Query:

source="openproject" AND (url:*redirect* OR header:HOST != "expected-domain.com")

📊 Metadata

CVE ID: CVE-2024-41801

CVSS v3 Score: 4.7 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N

CWE: CWE-601

Published: July 25, 2024

Last Updated: November 21, 2024

🔗 References

https://github.com/opf/openproject/security/advisories/GHSA-g92v-vrq6-4fpw Vendor Advisory
https://github.com/user-attachments/files/16371759/host-protection.patch Patch
https://www.openproject.org/docs/release-notes/14-3-0 Release Notes
https://github.com/opf/openproject/security/advisories/GHSA-g92v-vrq6-4fpw Vendor Advisory
https://github.com/user-attachments/files/16371759/host-protection.patch Patch
https://www.openproject.org/docs/release-notes/14-3-0 Release Notes

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-41801, you might also want to check these: