Explore top 10 tips to secure your open-source projects now. Read More
×
Multiple cross-site scripting vulnerabilities were found in Redmine, a project management web application. For the stable distribution (bookworm), these problems have been fixed in . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-5699-1
Redmine, a project management web application, may disclose the names of users on activity views due to an insufficient access filter. An attacker may infer information of users working on private projects. . - ------------------------------------------------------------------------- Debian LTS Advisory DLA-2787-1
The package redmine before version 4.2.1-1 is vulnerable to multiple issues including arbitrary filesystem access, access restriction bypass, cross-site scripting, arbitrary file upload and information disclosure. . Arch Linux Security Advisory ASA-202105-1 ======================================== Severity: Critical Date : 2021-05-19 CVE-ID : CVE-2021-29274 CVE-2021-30163 CVE-2021-30164 CVE-2021-31863 CVE-2021-31864 CVE-2021-31865 CVE-2021-31866 Package : redmine Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-1743 Summary ====== The package redmine before version 4.2.1-1 is vulnerable to multiple issues including arbitrary filesystem access, access restriction bypass, cross-site scripting, arbitrary file upload and information disclosure. Resolution ========= Upgrade to 4.2.1-1. # pacman -Syu "redmine> =4.2.1-1" The problems have been fixed upstream in version 4.2.1. Workaround ========= None. Description ========== - CVE-2021-29274 (cross-site scripting) Redmine 4.1.x before 4.1.2 allows cross-site scripting (XSS) because an issues subject is mishandled in the auto complete tip. - CVE-2021-30163 (information disclosure) Redmine before 4.1.2 allows attackers to discover the names of private projects if issue-journal details exist that have changes to project_id values. - CVE-2021-30164 (access restriction bypass) Redmine before 4.1.2 allows attackers to bypass the add_issue_notes permission requirement by leveraging the Issues API. - CVE-2021-31863 (arbitrary filesystem access) Insufficient input validation in the Git repository integration of Redmine before 4.2.1 allows Redmine users to read arbitrary local files accessible by the application server process. - CVE-2021-31864 (access restriction bypass) Redmine before 4.2.1 allows attackers to bypass the add_issue_notes permission requirement by leveraging the incoming mail handler. - CVE-2021-31865 (arbitrary file upload) Redminebefore 4.2.1 allows users to circumvent the allowed filename extensions of uploaded attachments. - CVE-2021-31866 (information disclosure) Redmine before 4.1.3 allows an attacker to learn the values of internal authentication keys by observing timing differences in string comparison operations within SysController and MailHandlerController. Impact ===== A remote attacker could disclose private information, perform actions without having the required permissions, or execute arbitrary JavaScript code by leveraging cross-site scripting. References ========= https://bugs.archlinux.org/task/70203 https://github.com/redmine/redmine/commit/bbfade972865e78e4d865af2cdb93e6cb57d5a45 https://github.com/redmine/redmine/commit/0d96c4ebdb1cceeb6cac8f940a11b5407a0a5211 https://github.com/redmine/redmine/commit/a7b9fa99966e8d59bd88548248ab11400ea48e5e https://github.com/redmine/redmine/commit/45461bfe51e9492d607f7204120f49ce3396a0cf https://github.com/redmine/redmine/commit/d03a718e6efca0493d8b42bd4ba356d736a77f49 https://github.com/redmine/redmine/commit/56979912c9bb041aac3fc5b88bf8275b743b0e28 https://github.com/redmine/redmine/commit/23e09ef64e26d6f63dcdcd624827440d9ad05f93 https://security.archlinux.org/CVE-2021-29274 https://security.archlinux.org/CVE-2021-30163 https://security.archlinux.org/CVE-2021-30164 https://security.archlinux.org/CVE-2021-31863 https://security.archlinux.org/CVE-2021-31864 https://security.archlinux.org/CVE-2021-31865 https://security.archlinux.org/CVE-2021-31866 . Debian Security Bulletin DSA-2021-02 discusses critical flaws found in mediawiki prior to version 1.35.0-1.. Redmine Security Issues, Arch Linux Advisory, Critical Redmine Threats. . Severity: Critical. LinuxSecurity.com Team
Several issues were found in Redmine, a project management web application, which could lead to cross-site scripting, information disclosure, and reading arbitrary files from the server. . - ------------------------------------------------------------------------- Debian LTS Advisory DLA-2658-1
Several security issues were fixed in redmine.. =========================================================================Ubuntu Security Notice USN-4200-1 November 26, 2019 redmine vulnerabilities ========================================================================= A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 19.04 - Ubuntu 18.04 LTS - Ubuntu 16.04 LTS Summary: Several security issues were fixed in redmine. Software Description: - redmine: flexible project management web application Details: It was discovered that Redmine incorrectly handle certain inputs that could cause textile formatting errors. An attacker could possibly use this issue to cause a XSS attack. (CVE-2019-17427) It was discovered that an SQL injection could allow users to access protected information via a crafted object query. (CVE-2019-18890) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 19.04: redmine 4.0.1-2ubuntu0.1 redmine-mysql 4.0.1-2ubuntu0.1 redmine-pgsql 4.0.1-2ubuntu0.1 redmine-sqlite 4.0.1-2ubuntu0.1 Ubuntu 18.04 LTS: redmine 3.4.4-1ubuntu0.1 redmine-mysql 3.4.4-1ubuntu0.1 redmine-pgsql 3.4.4-1ubuntu0.1 redmine-sqlite 3.4.4-1ubuntu0.1 Ubuntu 16.04 LTS: redmine 3.2.1-2ubuntu0.2 redmine-mysql 3.2.1-2ubuntu0.2 redmine-pgsql 3.2.1-2ubuntu0.2 redmine-sqlite 3.2.1-2ubuntu0.2 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-4200-1 CVE-2019-17427, CVE-2019-18890 Package Information: https://launchpad.net/ubuntu/+source/redmine/4.0.1-2ubuntu0.1 https://launchpad.net/ubuntu/+source/redmine/3.4.4-1ubuntu0.1 https://launchpad.net/ubuntu/+source/redmine/3.2.1-2ubuntu0.2 . UbuntuSecurity Notice USN-4250-1 addresses several vulnerabilities related to the kernel and their applicable patches for different versions.. Redmine Vulnerabilities, Ubuntu Security Notice, SQL Injection, XSS, Software Update. . Severity: Critical. LinuxSecurity.com Team
Hoger Just discovered an SQL injection in Redmine, a project management web application. In addition a cross-site scripting issue was found in Textile formatting. . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4574-1
The redmine security update announced as DSA-4191-1 caused regressions with multi-value fields while doing queries on project issues due to an bug in the patch to address CVE-2017-15569. Updated packages are now available to correct this issue. . - ------------------------------------------------------------------------- Debian Security Advisory DSA-4191-2
Multiple vulnerabilities were discovered in Redmine, a project management web application. They could lead to remote code execution, information disclosure or cross-site scripting attacks. . - ------------------------------------------------------------------------- Debian Security Advisory DSA-4191-1
Get the latest Linux and open source security news straight to your inbox.