9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.002 Low
EPSS
Percentile
56.7%
Severity: Critical
Date : 2021-05-19
CVE-ID : CVE-2021-29274 CVE-2021-30163 CVE-2021-30164 CVE-2021-31863
CVE-2021-31864 CVE-2021-31865 CVE-2021-31866
Package : redmine
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-1743
The package redmine before version 4.2.1-1 is vulnerable to multiple
issues including arbitrary filesystem access, access restriction
bypass, cross-site scripting, arbitrary file upload and information
disclosure.
Upgrade to 4.2.1-1.
The problems have been fixed upstream in version 4.2.1.
None.
Redmine 4.1.x before 4.1.2 allows cross-site scripting (XSS) because an
issue’s subject is mishandled in the auto complete tip.
Redmine before 4.1.2 allows attackers to discover the names of private
projects if issue-journal details exist that have changes to project_id
values.
Redmine before 4.1.2 allows attackers to bypass the add_issue_notes
permission requirement by leveraging the Issues API.
Insufficient input validation in the Git repository integration of
Redmine before 4.2.1 allows Redmine users to read arbitrary local files
accessible by the application server process.
Redmine before 4.2.1 allows attackers to bypass the add_issue_notes
permission requirement by leveraging the incoming mail handler.
Redmine before 4.2.1 allows users to circumvent the allowed filename
extensions of uploaded attachments.
Redmine before 4.1.3 allows an attacker to learn the values of internal
authentication keys by observing timing differences in string
comparison operations within SysController and MailHandlerController.
A remote attacker could disclose private information, perform actions
without having the required permissions, or execute arbitrary
JavaScript code by leveraging cross-site scripting.
https://bugs.archlinux.org/task/70203
https://www.redmine.org/projects/redmine/wiki/Security_Advisories
https://www.redmine.org/issues/33846
https://github.com/redmine/redmine/commit/bbfade972865e78e4d865af2cdb93e6cb57d5a45
https://www.redmine.org/issues/33360
https://github.com/redmine/redmine/commit/0d96c4ebdb1cceeb6cac8f940a11b5407a0a5211
https://www.redmine.org/issues/33689
https://github.com/redmine/redmine/commit/a7b9fa99966e8d59bd88548248ab11400ea48e5e
https://www.redmine.org/issues/35085
https://github.com/redmine/redmine/commit/45461bfe51e9492d607f7204120f49ce3396a0cf
https://www.redmine.org/issues/35045
https://github.com/redmine/redmine/commit/d03a718e6efca0493d8b42bd4ba356d736a77f49
https://www.redmine.org/issues/34367
https://github.com/redmine/redmine/commit/56979912c9bb041aac3fc5b88bf8275b743b0e28
https://www.redmine.org/issues/34950
https://github.com/redmine/redmine/commit/23e09ef64e26d6f63dcdcd624827440d9ad05f93
https://security.archlinux.org/CVE-2021-29274
https://security.archlinux.org/CVE-2021-30163
https://security.archlinux.org/CVE-2021-30164
https://security.archlinux.org/CVE-2021-31863
https://security.archlinux.org/CVE-2021-31864
https://security.archlinux.org/CVE-2021-31865
https://security.archlinux.org/CVE-2021-31866
bugs.archlinux.org/task/70203
github.com/redmine/redmine/commit/0d96c4ebdb1cceeb6cac8f940a11b5407a0a5211
github.com/redmine/redmine/commit/23e09ef64e26d6f63dcdcd624827440d9ad05f93
github.com/redmine/redmine/commit/45461bfe51e9492d607f7204120f49ce3396a0cf
github.com/redmine/redmine/commit/56979912c9bb041aac3fc5b88bf8275b743b0e28
github.com/redmine/redmine/commit/a7b9fa99966e8d59bd88548248ab11400ea48e5e
github.com/redmine/redmine/commit/bbfade972865e78e4d865af2cdb93e6cb57d5a45
github.com/redmine/redmine/commit/d03a718e6efca0493d8b42bd4ba356d736a77f49
security.archlinux.org/AVG-1743
security.archlinux.org/CVE-2021-29274
security.archlinux.org/CVE-2021-30163
security.archlinux.org/CVE-2021-30164
security.archlinux.org/CVE-2021-31863
security.archlinux.org/CVE-2021-31864
security.archlinux.org/CVE-2021-31865
security.archlinux.org/CVE-2021-31866
www.redmine.org/issues/33360
www.redmine.org/issues/33689
www.redmine.org/issues/33846
www.redmine.org/issues/34367
www.redmine.org/issues/34950
www.redmine.org/issues/35045
www.redmine.org/issues/35085
www.redmine.org/projects/redmine/wiki/Security_Advisories
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.002 Low
EPSS
Percentile
56.7%