CVE-2021-31863

HIGH

Redmine < 4.0.9, 4.1.x < 4.1.3, 4.2.x < 4.2.1 - Arbitrary File Read via Git Repository Integration

Title source: llm
STIX 2.1

Description

Insufficient input validation in the Git repository integration of Redmine before 4.0.9, 4.1.x before 4.1.3, and 4.2.x before 4.2.1 allows Redmine users to read arbitrary local files accessible by the application server process.

References (3)

Core 3
Core References
Vendor Advisory x_refsource_misc
https://www.redmine.org/news/131
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2021/05/msg00013.html

Scores

CVSS v3 7.5
EPSS 0.0174
EPSS Percentile 74.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE
CWE-20
Status published
Products (2)
debian/debian_linux 9.0
redmine/redmine < 4.0.9
Published Apr 28, 2021
Tracked Since Feb 18, 2026