Risk | Medium |
Patch available | YES |
Number of vulnerabilities | 2 |
CVE-ID | CVE-2011-4929 CVE-2011-4927 |
CWE-ID | CWE-20 |
Exploitation vector | Network |
Public exploit | Public exploit code for vulnerability #1 is available. |
Vulnerable software Subscribe |
Redmine Web applications / CRM systems |
Vendor | Ruby |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
EUVDB-ID: #VU43417
Risk: Medium
CVSSv3.1: 6.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:F/RL:O/RC:C]
CVE-ID: CVE-2011-4929
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: Yes
DescriptionThe vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Unspecified vulnerability in the bazaar repository adapter in Redmine 0.9.x and 1.0.x before 1.0.5 allows remote attackers to execute arbitrary commands via unknown vectors.
MitigationInstall update from vendor's website.
Vulnerable software versionsRedmine: 0.9.0 - 1.0.4
External linkshttp://www.debian.org/security/2011/dsa-2261
http://www.openwall.com/lists/oss-security/2012/01/06/5
http://www.openwall.com/lists/oss-security/2012/01/06/7
http://www.redmine.org/news/49
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, a fully functional exploit for this vulnerability is available.
EUVDB-ID: #VU43418
Risk: Low
CVSSv3.1: 1.3 [CVSS:3.1/AV:N/AC:L/PR:/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2011-4927
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote #AU# to gain access to sensitive information.
Unspecified vulnerability in the bazaar repository adapter in Redmine 1.0.x before 1.0.5 allows remote authenticated users to obtain sensitive information via unknown vectors.
MitigationInstall update from vendor's website.
Vulnerable software versionsRedmine: 1.0.0 - 1.0.4
External linkshttp://www.debian.org/security/2011/dsa-2261
http://www.openwall.com/lists/oss-security/2012/01/06/5
http://www.openwall.com/lists/oss-security/2012/01/06/7
http://www.redmine.org/news/49
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.