Information disclosure in Debian Linux and Redmine - CVE-2015-8473
Published: April 12, 2016 / Updated: August 9, 2020
Vulnerability identifier: #VU40391
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2015-8473
CWE-ID: CWE-200
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Debian
Ruby
Ruby
Affected software:
Debian Linux
Redmine
Debian Linux
Redmine
Detailed vulnerability description
The vulnerability allows a remote authenticated user to gain access to sensitive information.
The Issues API in Redmine before 2.6.8, 3.0.x before 3.0.6, and 3.1.x before 3.1.2 allows remote authenticated users to obtain sensitive information in changeset messages by leveraging permission to read issues with related changesets from other projects.
How to mitigate CVE-2015-8473
Install update from vendor's website.
Sources
- http://www.debian.org/security/2016/dsa-3529
- http://www.securityfocus.com/bid/78621
- https://github.com/redmine/redmine/commit/8d8f612fa368a72c56b63f7ce6b7e98cab9feb22
- https://www.redmine.org/issues/21136
- https://www.redmine.org/projects/redmine/wiki/Changelog_3_0
- https://www.redmine.org/projects/redmine/wiki/Changelog_3_1
- https://www.redmine.org/versions/105