redmine

Link	package \| bugs open \| bugs closed \| Wiki \| GitHub \| web search
Description	A flexible project management web application written using Ruby on Rails framework.
Version	4.2.1-1 [community]

Open

Group	Affected	Fixed	Severity	Status	Ticket
AVG-1920	4.2.1-1		Medium	Vulnerable

Issue	Group	Severity	Remote	Type	Description
CVE-2021-22904	AVG-1920	Low	Yes	Denial of service	There is a possible denial of service (DoS) vulnerability in the Token Authentication logic in Action Controller before versions 6.1.3.2, 6.0.3.7, 5.2.4.6...
CVE-2021-22885	AVG-1920	Medium	Yes	Information disclosure	There is a possible information disclosure/unintended method execution vulnerability in Action Pack before versions 6.1.3.2, 6.0.3.7, 5.2.4.6 and 5.2.6 when...

Issue

Group

Severity

Remote

Type

Description

CVE-2021-22904

AVG-1920

Low

Yes

Denial of service

There is a possible denial of service (DoS) vulnerability in the Token Authentication logic in Action Controller before versions 6.1.3.2, 6.0.3.7, 5.2.4.6...

CVE-2021-22885

AVG-1920

Medium

Yes

Information disclosure

There is a possible information disclosure/unintended method execution vulnerability in Action Pack before versions 6.1.3.2, 6.0.3.7, 5.2.4.6 and 5.2.6 when...

Resolved

Group	Affected	Fixed	Severity	Status	Ticket
AVG-1743	4.1.1-2	4.2.1-1	Critical	Fixed	FS#70203

Issue	Group	Severity	Remote	Type	Description
CVE-2021-31866	AVG-1743	Medium	Yes	Information disclosure	Redmine before 4.1.3 allows an attacker to learn the values of internal authentication keys by observing timing differences in string comparison operations...
CVE-2021-31865	AVG-1743	Medium	Yes	Arbitrary file upload	Redmine before 4.2.1 allows users to circumvent the allowed filename extensions of uploaded attachments.
CVE-2021-31864	AVG-1743	Low	Yes	Access restriction bypass	Redmine before 4.2.1 allows attackers to bypass the add_issue_notes permission requirement by leveraging the incoming mail handler.
CVE-2021-31863	AVG-1743	Critical	Yes	Arbitrary filesystem access	Insufficient input validation in the Git repository integration of Redmine before 4.2.1 allows Redmine users to read arbitrary local files accessible by the...
CVE-2021-30164	AVG-1743	High	Yes	Access restriction bypass	Redmine before 4.1.2 allows attackers to bypass the add_issue_notes permission requirement by leveraging the Issues API.
CVE-2021-30163	AVG-1743	Medium	Yes	Information disclosure	Redmine before 4.1.2 allows attackers to discover the names of private projects if issue-journal details exist that have changes to project_id values.
CVE-2021-29274	AVG-1743	High	Yes	Cross-site scripting	Redmine 4.1.x before 4.1.2 allows cross-site scripting (XSS) because an issue's subject is mishandled in the auto complete tip.

Advisories

Date	Advisory	Group	Severity	Type
19 May 2021	ASA-202105-1	AVG-1743	Critical	multiple issues