OpenProject is open-source, web-based project management software. Prior to , the official openproject/openproject Docker image ships ENV SECRET_KEY_BASE=OVERWRITE_ME as the default Rails master key. Combined with cookies_serializer = :marshal, this gives any logged-in user a deterministic Marshal-deserialization path reachable via the /my/two_factor_devices cookie reader This vulnerability is fixed in .
The official openproject/openproject Docker image contains a hardcoded environment key SECRET_KEY_BASE set to 'OVERWRITE_ME', which serves as the main Rails master key. Since the application uses a Marshal-based cookie serializer (cookies_serializer = :marshal), an attacker knowing the signing key can forge a signed cookie and deliver a malicious, crafted Marshal object. The attack path goes through the /my/two_factor_devices endpoint, where the vulnerable cookie is read, resulting in untrusted code execution on the server side during deserialization.
A logged-in user can gain full remote code execution (RCE) on the application server, giving them access to all data, ability to escalate privileges, and compromise the entire container environment.
Apply patches available from the vendor according to references (https://github.com/opf/openproject/security/advisories/GHSA-r85r-gjq2-f83r). Regardless of updates, IMMEDIATELY override the SECRET_KEY_BASE environment variable with your own random, unique value in Docker configuration. Deployments with the default value 'OVERWRITE_ME' should be considered compromised.
The official openproject/openproject Docker image in all versions before the version indicated in vendor references (patched version not specified in description); affects installations where the SECRET_KEY_BASE key has not been overridden with a custom value.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H