Vulnerability identifier: #VU40389
Vulnerability risk: Medium
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-200
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Debian Linux
Operating systems & Components /
Operating system
Redmine
Web applications /
CRM systems
Description
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
app/views/journals/index.builder in Redmine before 2.6.9, 3.0.x before 3.0.7, and 3.1.x before 3.1.3 allows remote attackers to obtain sensitive information by viewing an Atom feed.
Mitigation
Install update from vendor's website.
Vulnerable software versions
Debian Linux: 8.0
Redmine: 3.0.0 - 8.0
External links
http://www.debian.org/security/2016/dsa-3529
http://www.redmine.org/news/103
http://github.com/redmine/redmine/commit/7e423fb4538247d59e01958c48b491f196a1de56
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.