Lucene search

Veracode Vulnerability DatabaseVERACODE:30453

HistoryMay 16, 2021 - 2:18 p.m.

Timing Attack

2021-05-1614:18:14

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

JSON

Redmine is vulnerable to timing attack. It allows an attacker to learn the values of internal authentication keys by observing timing differences in string comparison operations within SysController and MailHandlerController.

CPENameOperatorVersion
redmine:stretcheq3.3.1-4+deb9u3
redmine:sideq4.0.7-1

References

lists.debian.org/debian-lts-announce/2021/05/msg00013.html

security-tracker.debian.org/tracker/CVE-2021-31866

www.redmine.org/news/131

www.redmine.org/projects/redmine/wiki/Security_Advisories

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

JSON

Related for VERACODE:30453

cve1 osv3 ubuntucve1 debiancve1 prion1 archlinux1 nessus1 debian1 openvas1

CPE	Name	Operator	Version
	redmine:stretch	eq	3.3.1-4+deb9u3
	redmine:sid	eq	4.0.7-1