CVE-2021-31866
MEDIUMRedmine < 4.0.9 and 4.1.x < 4.1.3 - Timing Attack via String Comparison in SysController and MailHandlerController
Title source: llmDescription
Redmine before 4.0.9 and 4.1.x before 4.1.3 allows an attacker to learn the values of internal authentication keys by observing timing differences in string comparison operations within SysController and MailHandlerController.
References (3)
Core 3
Core References
Vendor Advisory x_refsource_misc
https://www.redmine.org/projects/redmine/wiki/Security_Advisories
Vendor Advisory x_refsource_misc
https://www.redmine.org/news/131
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2021/05/msg00013.html
Scores
CVSS v3
5.3
EPSS
0.0121
EPSS Percentile
64.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Details
CWE
CWE-203
Status
published
Products (2)
debian/debian_linux
9.0
redmine/redmine
< 4.0.9
Published
Apr 28, 2021
Tracked Since
Feb 18, 2026