AVG-1743 log

Package redmine
Status Fixed
Severity Critical
Type multiple issues
Affected 4.1.1-2
Fixed 4.2.1-1
Current 4.2.3-1 [community]
Ticket FS#70203
Created Mon Mar 29 08:22:04 2021
Issue Severity Remote Type Description
CVE-2021-31866 Medium Yes Information disclosure
Redmine before 4.1.3 allows an attacker to learn the values of internal authentication keys by observing timing differences in string comparison operations...
CVE-2021-31865 Medium Yes Arbitrary file upload
Redmine before 4.2.1 allows users to circumvent the allowed filename extensions of uploaded attachments.
CVE-2021-31864 Low Yes Access restriction bypass
Redmine before 4.2.1 allows attackers to bypass the add_issue_notes permission requirement by leveraging the incoming mail handler.
CVE-2021-31863 Critical Yes Arbitrary filesystem access
Insufficient input validation in the Git repository integration of Redmine before 4.2.1 allows Redmine users to read arbitrary local files accessible by the...
CVE-2021-30164 High Yes Access restriction bypass
Redmine before 4.1.2 allows attackers to bypass the add_issue_notes permission requirement by leveraging the Issues API.
CVE-2021-30163 Medium Yes Information disclosure
Redmine before 4.1.2 allows attackers to discover the names of private projects if issue-journal details exist that have changes to project_id values.
CVE-2021-29274 High Yes Cross-site scripting
Redmine 4.1.x before 4.1.2 allows cross-site scripting (XSS) because an issue's subject is mishandled in the auto complete tip.
Date Advisory Package Type
19 May 2021 ASA-202105-1 redmine multiple issues