Vulnerability identifier: #VU43418
Vulnerability risk: Low
CVSSv3.1: 1.3 [CVSS:3.1/AV:N/AC:L/PR:/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-20
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Redmine
Web applications /
CRM systems
Vendor: Ruby
Description
The vulnerability allows a remote #AU# to gain access to sensitive information.
Unspecified vulnerability in the bazaar repository adapter in Redmine 1.0.x before 1.0.5 allows remote authenticated users to obtain sensitive information via unknown vectors.
Mitigation
Install update from vendor's website.
Vulnerable software versions
Redmine: 1.0.0 - 1.0.4
External links
http://www.debian.org/security/2011/dsa-2261
http://www.openwall.com/lists/oss-security/2012/01/06/5
http://www.openwall.com/lists/oss-security/2012/01/06/7
http://www.redmine.org/news/49
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.