CVE-2015-8473

MEDIUM

Redmine <2.6.8, <3.0.6, <3.1.2 - Info Disclosure

Title source: llm

Description

The Issues API in Redmine before 2.6.8, 3.0.x before 3.0.6, and 3.1.x before 3.1.2 allows remote authenticated users to obtain sensitive information in changeset messages by leveraging permission to read issues with related changesets from other projects.

References (7)

[Patch] https://www.redmine.org/issues/21136

[Patch] https://www.redmine.org/projects/redmine/wiki/Changelog_3_0

[Patch] https://www.redmine.org/projects/redmine/wiki/Changelog_3_1

[Patch, Vendor Advisory] https://www.redmine.org/versions/105

[Patch] https://github.com/redmine/redmine/commit/8d8f612fa368a72c56b63f7ce6b7e98cab9feb22

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/78621

[Third Party Advisory] http://www.debian.org/security/2016/dsa-3529

Scores

CVSS v3 4.3

EPSS 0.0046

EPSS Percentile 64.0%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Classification

CWE

CWE-200

Status draft

Affected Products (10)

debian/debian_linux

redmine/redmine < 2.6.7

redmine/redmine

redmine/redmine

redmine/redmine

redmine/redmine

redmine/redmine

redmine/redmine

redmine/redmine

redmine/redmine

Timeline

Published Apr 12, 2016

Tracked Since Feb 18, 2026