Credentials management in Redmine - CVE-2012-2054
Published: April 5, 2012 / Updated: August 11, 2020
Vulnerability identifier: #VU44156
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2012-2054
CWE-ID: CWE-255
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Ruby
Affected software:
Redmine
Redmine
Detailed vulnerability description
The vulnerability allows a remote non-authenticated attacker to manipulate data.
Redmine before 1.3.2 does not properly restrict the use of a hash to provide values for a model's attributes, which allows remote attackers to set attributes in the (1) Comment, (2) Document, (3) IssueCategory, (4) MembersController, (5) Message, (6) News, (7) TimeEntry, (8) Version, (9) Wiki, (10) UserPreference, or (11) Board model via a modified URL, related to a "mass assignment" vulnerability, a different vulnerability than CVE-2012-0327.
How to mitigate CVE-2012-2054
Install update from vendor's website.