Headline
CVE-2023-45826: Merge pull request #1906 from Leantime/bugFixes · Leantime/leantime@be75f1e
Leantime is an open source project management system. A ‘userId’ variable in app/domain/files/repositories/class.files.php is not parameterized. An authenticated attacker can send a carefully crafted POST request to /api/jsonrpc to exploit an SQL injection vulnerability. Confidentiality is impacted as it allows for dumping information from the database. This issue has been addressed in version 2.4-beta-4. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Expand Up
@@ -137,19 +137,17 @@ public function boot(): void
}
if (! defined(‘CURRENT_URL’)) {
define('CURRENT_URL’, !empty($config->appUrl)
? $config->appUrl . $request->getPathInfo()
: $request->getFullUrl());
define('CURRENT_URL’, BASE_URL . $request->getRequestUri());
}
$this->loadHeaders();
$this->checkIfInstalled();
$this->checkIfUpdated();
Events::discover_listeners();
$this->checkIfUpdated();
/**
* The beginning of the application
*
Expand Down Expand Up
@@ -188,10 +186,13 @@ public function getApplication(): Application
$this->bindRequest();
// Setup Configuration
$this->app->singleton(Environment::class, Environment::class);
//$this->app->singleton(Environment::class, Environment::class);
$this->app->singleton(Environment::class, fn ($app) => $_SESSION[‘configclass’] ??= new Environment($app->make(DefaultConfig::class)));
$this->app->alias(Environment::class, \Illuminate\Contracts\Config\Repository::class);
$this->app->alias(Environment::class, alias: “config”);
// specify singletons/instances
$this->app->singleton(Db::class, Db::class);
$this->app->singleton(Frontcontroller::class, Frontcontroller::class);
Expand Down Expand Up
@@ -351,6 +352,8 @@ private function handleRequest(): void
$frontController = $this->app->make(Frontcontroller::class);
$incomingRequest = $this->app->make(IncomingRequest::class);
$this->publicActions = self::dispatch_filter("publicActions", $this->publicActions, [‘bootloader’ => $this]);
// handle public request
if (in_array($frontController::getCurrentRoute(), $this->publicActions)) {
$frontController::dispatch();
Expand All
@@ -359,6 +362,9 @@ private function handleRequest(): void
// handle API request
if ($incomingRequest instanceof ApiRequest) {
self::dispatch_event("before_api_request", [‘application’ => $this]);
$apiKey = $incomingRequest->getAPIKey();
$apiUser = $this->app->make(ApiService::class)->getAPIKeyUser($apiKey);
Expand Down