Vulnerability identifier: #VU40391
Vulnerability risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-200
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Debian Linux
Operating systems & Components /
Operating system
Redmine
Web applications /
CRM systems
Description
The vulnerability allows a remote authenticated user to gain access to sensitive information.
The Issues API in Redmine before 2.6.8, 3.0.x before 3.0.6, and 3.1.x before 3.1.2 allows remote authenticated users to obtain sensitive information in changeset messages by leveraging permission to read issues with related changesets from other projects.
Mitigation
Install update from vendor's website.
Vulnerable software versions
Debian Linux: 8.0
Redmine: 3.0.0 - 8.0
External links
http://www.debian.org/security/2016/dsa-3529
http://www.securityfocus.com/bid/78621
http://github.com/redmine/redmine/commit/8d8f612fa368a72c56b63f7ce6b7e98cab9feb22
http://www.redmine.org/issues/21136
http://www.redmine.org/projects/redmine/wiki/Changelog_3_0
http://www.redmine.org/projects/redmine/wiki/Changelog_3_1
http://www.redmine.org/versions/105
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.