Description
The Issues API in Redmine before 2.6.8, 3.0.x before 3.0.6, and 3.1.x before 3.1.2 allows remote authenticated users to obtain sensitive information in changeset messages by leveraging permission to read issues with related changesets from other projects.
References (7)
Core 7
Core References
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/78621
Patch x_refsource_confirm
https://www.redmine.org/projects/redmine/wiki/Changelog_3_0
Patch, Vendor Advisory x_refsource_confirm
https://www.redmine.org/versions/105
Patch x_refsource_confirm
https://www.redmine.org/projects/redmine/wiki/Changelog_3_1
Third Party Advisory vendor-advisory
x_refsource_debian
http://www.debian.org/security/2016/dsa-3529
Patch x_refsource_confirm
https://github.com/redmine/redmine/commit/8d8f612fa368a72c56b63f7ce6b7e98cab9feb22
Patch x_refsource_confirm
https://www.redmine.org/issues/21136
Scores
CVSS v3
4.3
EPSS
0.0172
EPSS Percentile
74.7%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Details
CWE
CWE-200
Status
published
Products (10)
debian/debian_linux
8.0
redmine/redmine
3.0.0
redmine/redmine
3.0.1
redmine/redmine
3.0.2
redmine/redmine
3.0.3
redmine/redmine
3.0.4
redmine/redmine
3.0.5
redmine/redmine
3.1.0
redmine/redmine
3.1.1
redmine/redmine
< 2.6.7
Published
Apr 12, 2016
Tracked Since
Feb 18, 2026