Redmine Redmine

Do you want an email whenever new security vulnerabilities are reported in Redmine?

By the Year

In 2021 there have been 11 vulnerabilities in Redmine with an average score of 6.3 out of ten. Redmine did not have any published security vulnerabilities last year. That is, 11 more vulnerabilities have already been reported in 2021 as compared to last year.

Year Vulnerabilities Average Score
2021 11 6.33
2020 0 0.00
2019 2 6.30
2018 0 0.00

It may take a day or so for new Redmine vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Redmine Security Vulnerabilities

Insufficient input validation in the Git repository integration of Redmine before 4.0.9, 4.1.x before 4.1.3, and 4.2.x before 4.2.1

CVE-2021-31863 7.5 - High - April 28, 2021

Insufficient input validation in the Git repository integration of Redmine before 4.0.9, 4.1.x before 4.1.3, and 4.2.x before 4.2.1 allows Redmine users to read arbitrary local files accessible by the application server process.

Improper Input Validation

Redmine before 4.0.9, 4.1.x before 4.1.3, and 4.2.x before 4.2.1

CVE-2021-31864 5.3 - Medium - April 28, 2021

Redmine before 4.0.9, 4.1.x before 4.1.3, and 4.2.x before 4.2.1 allows attackers to bypass the add_issue_notes permission requirement by leveraging the incoming mail handler.

AuthZ

Redmine before 4.0.9, 4.1.x before 4.1.3, and 4.2.x before 4.2.1

CVE-2021-31865 5.3 - Medium - April 28, 2021

Redmine before 4.0.9, 4.1.x before 4.1.3, and 4.2.x before 4.2.1 allows users to circumvent the allowed filename extensions of uploaded attachments.

AuthZ

Redmine before 4.0.9 and 4.1.x before 4.1.3

CVE-2021-31866 5.3 - Medium - April 28, 2021

Redmine before 4.0.9 and 4.1.x before 4.1.3 allows an attacker to learn the values of internal authentication keys by observing timing differences in string comparison operations within SysController and MailHandlerController.

Side Channel Attack

Redmine before 4.0.7 and 4.1.x before 4.1.1

CVE-2020-36308 5.3 - Medium - April 06, 2021

Redmine before 4.0.7 and 4.1.x before 4.1.1 allows attackers to discover the subject of a non-visible issue by performing a CSV export and reading time entries.

Injection

Redmine before 4.0.8 and 4.1.x before 4.1.2

CVE-2021-30164 9.8 - Critical - April 06, 2021

Redmine before 4.0.8 and 4.1.x before 4.1.2 allows attackers to bypass the add_issue_notes permission requirement by leveraging the Issues API.

Redmine before 4.0.8 and 4.1.x before 4.1.2

CVE-2021-30164 9.8 - Critical - April 06, 2021

Redmine before 4.0.8 and 4.1.x before 4.1.2 allows attackers to bypass the add_issue_notes permission requirement by leveraging the Issues API.

Redmine before 4.0.8 and 4.1.x before 4.1.2 allows attackers to discover the names of private projects if issue-journal details exist

CVE-2021-30163 7.5 - High - April 06, 2021

Redmine before 4.0.8 and 4.1.x before 4.1.2 allows attackers to discover the names of private projects if issue-journal details exist that have changes to project_id values.

Information Disclosure

Redmine before 4.0.8 and 4.1.x before 4.1.2 allows attackers to discover the names of private projects if issue-journal details exist

CVE-2021-30163 7.5 - High - April 06, 2021

Redmine before 4.0.8 and 4.1.x before 4.1.2 allows attackers to discover the names of private projects if issue-journal details exist that have changes to project_id values.

Information Disclosure

Redmine before 4.0.7 and 4.1.x before 4.1.1

CVE-2020-36308 5.3 - Medium - April 06, 2021

Redmine before 4.0.7 and 4.1.x before 4.1.1 allows attackers to discover the subject of a non-visible issue by performing a CSV export and reading time entries.

Injection

Redmine before 4.0.7 and 4.1.x before 4.1.1 has stored XSS

CVE-2020-36307 6.1 - Medium - April 06, 2021

Redmine before 4.0.7 and 4.1.x before 4.1.1 has stored XSS via textile inline links.

XSS

Redmine before 4.0.7 and 4.1.x before 4.1.1 has stored XSS

CVE-2020-36307 6.1 - Medium - April 06, 2021

Redmine before 4.0.7 and 4.1.x before 4.1.1 has stored XSS via textile inline links.

XSS

Redmine before 4.0.7 and 4.1.x before 4.1.1 has XSS

CVE-2020-36306 6.1 - Medium - April 06, 2021

Redmine before 4.0.7 and 4.1.x before 4.1.1 has XSS via the back_url field.

XSS

Redmine before 4.0.7 and 4.1.x before 4.1.1 has XSS

CVE-2020-36306 6.1 - Medium - April 06, 2021

Redmine before 4.0.7 and 4.1.x before 4.1.1 has XSS via the back_url field.

XSS

Redmine before 3.4.13 and 4.x before 4.0.6 mishandles markup data during Textile formatting.

CVE-2019-25026 5.3 - Medium - April 06, 2021

Redmine before 3.4.13 and 4.x before 4.0.6 mishandles markup data during Textile formatting.

Redmine before 3.4.13 and 4.x before 4.0.6 mishandles markup data during Textile formatting.

CVE-2019-25026 5.3 - Medium - April 06, 2021

Redmine before 3.4.13 and 4.x before 4.0.6 mishandles markup data during Textile formatting.

Redmine 4.1.x before 4.1.2

CVE-2021-29274 6.1 - Medium - March 29, 2021

Redmine 4.1.x before 4.1.2 allows XSS because an issue's subject is mishandled in the auto complete tip.

XSS

A SQL injection vulnerability in Redmine through 3.2.9 and 3.3.x before 3.3.10

CVE-2019-18890 6.5 - Medium - November 21, 2019

A SQL injection vulnerability in Redmine through 3.2.9 and 3.3.x before 3.3.10 allows Redmine users to access protected information via a crafted object query.

SQL Injection

In Redmine before 3.4.11 and 4.0.x before 4.0.4

CVE-2019-17427 6.1 - Medium - October 10, 2019

In Redmine before 3.4.11 and 4.0.x before 4.0.4, persistent XSS exists due to textile formatting errors.

XSS

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for Redmine or by Redmine? Click the Watch button to subscribe.

Redmine
Vendor

Redmine
Product

subscribe