ArchLinux: 202105-1: redmine: multiple issues

Advisories

Arch Linux Security Advisory ASA-202105-1
=========================================

Severity: Critical
Date    : 2021-05-19
CVE-ID  : CVE-2021-29274 CVE-2021-30163 CVE-2021-30164 CVE-2021-31863
          CVE-2021-31864 CVE-2021-31865 CVE-2021-31866
Package : redmine
Type    : multiple issues
Remote  : Yes
Link    : https://security.archlinux.org/AVG-1743

Summary
=======

The package redmine before version 4.2.1-1 is vulnerable to multiple
issues including arbitrary filesystem access, access restriction
bypass, cross-site scripting, arbitrary file upload and information
disclosure.

Resolution
==========

Upgrade to 4.2.1-1.

# pacman -Syu "redmine>=4.2.1-1"

The problems have been fixed upstream in version 4.2.1.

Workaround
==========

None.

Description
===========

- CVE-2021-29274 (cross-site scripting)

Redmine 4.1.x before 4.1.2 allows cross-site scripting (XSS) because an
issue's subject is mishandled in the auto complete tip.

- CVE-2021-30163 (information disclosure)

Redmine before 4.1.2 allows attackers to discover the names of private
projects if issue-journal details exist that have changes to project_id
values.

- CVE-2021-30164 (access restriction bypass)

Redmine before 4.1.2 allows attackers to bypass the add_issue_notes
permission requirement by leveraging the Issues API.

- CVE-2021-31863 (arbitrary filesystem access)

Insufficient input validation in the Git repository integration of
Redmine before 4.2.1 allows Redmine users to read arbitrary local files
accessible by the application server process.

- CVE-2021-31864 (access restriction bypass)

Redmine before 4.2.1 allows attackers to bypass the add_issue_notes
permission requirement by leveraging the incoming mail handler.

- CVE-2021-31865 (arbitrary file upload)

Redmine before 4.2.1 allows users to circumvent the allowed filename
extensions of uploaded attachments.

- CVE-2021-31866 (information disclosure)

Redmine before 4.1.3 allows an attacker to learn the values of internal
authentication keys by observing timing differences in string
comparison operations within SysController and MailHandlerController.

Impact
======

A remote attacker could disclose private information, perform actions
without having the required permissions, or execute arbitrary
JavaScript code by leveraging cross-site scripting.

References
==========

https://bugs.archlinux.org/task/70203
https://www.redmine.org/projects/redmine/wiki/Security_Advisories
https://www.redmine.org/issues/33846
https://github.com/redmine/redmine/commit/bbfade972865e78e4d865af2cdb93e6cb57d5a45
https://www.redmine.org/issues/33360
https://github.com/redmine/redmine/commit/0d96c4ebdb1cceeb6cac8f940a11b5407a0a5211
https://www.redmine.org/issues/33689
https://github.com/redmine/redmine/commit/a7b9fa99966e8d59bd88548248ab11400ea48e5e
https://www.redmine.org/issues/35085
https://github.com/redmine/redmine/commit/45461bfe51e9492d607f7204120f49ce3396a0cf
https://www.redmine.org/issues/35045
https://github.com/redmine/redmine/commit/d03a718e6efca0493d8b42bd4ba356d736a77f49
https://www.redmine.org/issues/34367
https://github.com/redmine/redmine/commit/56979912c9bb041aac3fc5b88bf8275b743b0e28
https://www.redmine.org/issues/34950
https://github.com/redmine/redmine/commit/23e09ef64e26d6f63dcdcd624827440d9ad05f93
https://security.archlinux.org/CVE-2021-29274
https://security.archlinux.org/CVE-2021-30163
https://security.archlinux.org/CVE-2021-30164
https://security.archlinux.org/CVE-2021-31863
https://security.archlinux.org/CVE-2021-31864
https://security.archlinux.org/CVE-2021-31865
https://security.archlinux.org/CVE-2021-31866

ArchLinux: 202105-1: redmine: multiple issues

May 20, 2021
The package redmine before version 4.2.1-1 is vulnerable to multiple issues including arbitrary filesystem access, access restriction bypass, cross-site scripting, arbitrary file u...

Summary

- CVE-2021-29274 (cross-site scripting)
Redmine 4.1.x before 4.1.2 allows cross-site scripting (XSS) because an issue's subject is mishandled in the auto complete tip.
- CVE-2021-30163 (information disclosure)
Redmine before 4.1.2 allows attackers to discover the names of private projects if issue-journal details exist that have changes to project_id values.
- CVE-2021-30164 (access restriction bypass)
Redmine before 4.1.2 allows attackers to bypass the add_issue_notes permission requirement by leveraging the Issues API.
- CVE-2021-31863 (arbitrary filesystem access)
Insufficient input validation in the Git repository integration of Redmine before 4.2.1 allows Redmine users to read arbitrary local files accessible by the application server process.
- CVE-2021-31864 (access restriction bypass)
Redmine before 4.2.1 allows attackers to bypass the add_issue_notes permission requirement by leveraging the incoming mail handler.
- CVE-2021-31865 (arbitrary file upload)
Redmine before 4.2.1 allows users to circumvent the allowed filename extensions of uploaded attachments.
- CVE-2021-31866 (information disclosure)
Redmine before 4.1.3 allows an attacker to learn the values of internal authentication keys by observing timing differences in string comparison operations within SysController and MailHandlerController.

Resolution

Upgrade to 4.2.1-1.
# pacman -Syu "redmine>=4.2.1-1"
The problems have been fixed upstream in version 4.2.1.

References

https://bugs.archlinux.org/task/70203 https://www.redmine.org/projects/redmine/wiki/Security_Advisories https://www.redmine.org/issues/33846 https://github.com/redmine/redmine/commit/bbfade972865e78e4d865af2cdb93e6cb57d5a45 https://www.redmine.org/issues/33360 https://github.com/redmine/redmine/commit/0d96c4ebdb1cceeb6cac8f940a11b5407a0a5211 https://www.redmine.org/issues/33689 https://github.com/redmine/redmine/commit/a7b9fa99966e8d59bd88548248ab11400ea48e5e https://www.redmine.org/issues/35085 https://github.com/redmine/redmine/commit/45461bfe51e9492d607f7204120f49ce3396a0cf https://www.redmine.org/issues/35045 https://github.com/redmine/redmine/commit/d03a718e6efca0493d8b42bd4ba356d736a77f49 https://www.redmine.org/issues/34367 https://github.com/redmine/redmine/commit/56979912c9bb041aac3fc5b88bf8275b743b0e28 https://www.redmine.org/issues/34950 https://github.com/redmine/redmine/commit/23e09ef64e26d6f63dcdcd624827440d9ad05f93 https://security.archlinux.org/CVE-2021-29274 https://security.archlinux.org/CVE-2021-30163 https://security.archlinux.org/CVE-2021-30164 https://security.archlinux.org/CVE-2021-31863 https://security.archlinux.org/CVE-2021-31864 https://security.archlinux.org/CVE-2021-31865 https://security.archlinux.org/CVE-2021-31866

Severity
CVE-ID : CVE-2021-29274 CVE-2021-30163 CVE-2021-30164 CVE-2021-31863
CVE-2021-31864 CVE-2021-31865 CVE-2021-31866
Package : redmine
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-1743

Impact

A remote attacker could disclose private information, perform actions without having the required permissions, or execute arbitrary JavaScript code by leveraging cross-site scripting.

Workaround

None.

Related News

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.