CVE-2021-31866 log

Source
Severity Medium
Remote Yes
Type Information disclosure
Description
Redmine before 4.0.9 and 4.1.x before 4.1.3 allows an attacker to learn the values of internal authentication keys by observing timing differences in string comparison operations within SysController and MailHandlerController.
Group Package Affected Fixed Severity Status Ticket
AVG-1743 redmine 4.1.1-2 4.2.1-1 Critical Fixed FS#70203
References
https://www.redmine.org/projects/redmine/wiki/Security_Advisories
https://www.redmine.org/issues/34950
https://github.com/redmine/redmine/commit/23e09ef64e26d6f63dcdcd624827440d9ad05f93