Can you explain this vulnerability to me?

This vulnerability exists in OpenProject, an open-source web-based project management software. Before version 17.0.2, users who had the Manage Users permission could lock and unlock other users. However, due to a missing permission check, these users were able to lock application administrators, which they were not supposed to be able to do.

The issue was that the system did not properly enforce restrictions preventing non-administrator users from locking administrator accounts. This flaw was fixed in OpenProject version 17.0.2.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability can impact you by allowing users with Manage Users permission to lock administrator accounts, potentially disrupting administrative control over the application.

Locking administrator accounts could prevent administrators from accessing the system, managing users, or performing critical administrative tasks, which could lead to denial of service or loss of control over the project management environment.

The CVSS score of 6.7 indicates a medium to high severity, reflecting the potential impact on confidentiality, integrity, and availability.

Useful 0 Not Useful 0

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, you should upgrade OpenProject to version 17.0.2 or later, where the missing permission check allowing users with Manage Users permission to lock application administrators has been fixed.

Useful 0 Not Useful 0