Redmine Redmine

Do you want an email whenever new security vulnerabilities are reported in Redmine?

By the Year

In 2021 there have been 13 vulnerabilities in Redmine with an average score of 6.3 out of ten. Redmine did not have any published security vulnerabilities last year. That is, 13 more vulnerabilities have already been reported in 2021 as compared to last year.

Year Vulnerabilities Average Score
2021 13 6.34
2020 0 0.00
2019 2 6.30
2018 0 0.00

It may take a day or so for new Redmine vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Redmine Security Vulnerabilities

Redmine before 4.1.5 and 4.2.x before 4.2.3 may disclose the names of users on activity views due to an insufficient access filter.

CVE-2021-42326 5.3 - Medium - October 12, 2021

Redmine before 4.1.5 and 4.2.x before 4.2.3 may disclose the names of users on activity views due to an insufficient access filter.

Information Disclosure

Redmine 4.2.0 and 4.2.1

CVE-2021-37156 7.5 - High - August 05, 2021

Redmine 4.2.0 and 4.2.1 allow existing user sessions to continue upon enabling two-factor authentication for the user's account, but the intended behavior is for those sessions to be terminated.

Insufficient Session Expiration

Insufficient input validation in the Git repository integration of Redmine before 4.0.9, 4.1.x before 4.1.3, and 4.2.x before 4.2.1

CVE-2021-31863 7.5 - High - April 28, 2021

Insufficient input validation in the Git repository integration of Redmine before 4.0.9, 4.1.x before 4.1.3, and 4.2.x before 4.2.1 allows Redmine users to read arbitrary local files accessible by the application server process.

Improper Input Validation

Redmine before 4.0.9, 4.1.x before 4.1.3, and 4.2.x before 4.2.1

CVE-2021-31864 5.3 - Medium - April 28, 2021

Redmine before 4.0.9, 4.1.x before 4.1.3, and 4.2.x before 4.2.1 allows attackers to bypass the add_issue_notes permission requirement by leveraging the incoming mail handler.

AuthZ

Redmine before 4.0.9, 4.1.x before 4.1.3, and 4.2.x before 4.2.1

CVE-2021-31865 5.3 - Medium - April 28, 2021

Redmine before 4.0.9, 4.1.x before 4.1.3, and 4.2.x before 4.2.1 allows users to circumvent the allowed filename extensions of uploaded attachments.

AuthZ

Redmine before 4.0.9 and 4.1.x before 4.1.3

CVE-2021-31866 5.3 - Medium - April 28, 2021

Redmine before 4.0.9 and 4.1.x before 4.1.3 allows an attacker to learn the values of internal authentication keys by observing timing differences in string comparison operations within SysController and MailHandlerController.

Side Channel Attack

Redmine before 4.0.7 and 4.1.x before 4.1.1

CVE-2020-36308 5.3 - Medium - April 06, 2021

Redmine before 4.0.7 and 4.1.x before 4.1.1 allows attackers to discover the subject of a non-visible issue by performing a CSV export and reading time entries.

Injection

Redmine before 4.0.8 and 4.1.x before 4.1.2

CVE-2021-30164 9.8 - Critical - April 06, 2021

Redmine before 4.0.8 and 4.1.x before 4.1.2 allows attackers to bypass the add_issue_notes permission requirement by leveraging the Issues API.

Redmine before 4.0.8 and 4.1.x before 4.1.2

CVE-2021-30164 9.8 - Critical - April 06, 2021

Redmine before 4.0.8 and 4.1.x before 4.1.2 allows attackers to bypass the add_issue_notes permission requirement by leveraging the Issues API.

Redmine before 4.0.8 and 4.1.x before 4.1.2 allows attackers to discover the names of private projects if issue-journal details exist

CVE-2021-30163 7.5 - High - April 06, 2021

Redmine before 4.0.8 and 4.1.x before 4.1.2 allows attackers to discover the names of private projects if issue-journal details exist that have changes to project_id values.

Information Disclosure

Redmine before 4.0.8 and 4.1.x before 4.1.2 allows attackers to discover the names of private projects if issue-journal details exist

CVE-2021-30163 7.5 - High - April 06, 2021

Redmine before 4.0.8 and 4.1.x before 4.1.2 allows attackers to discover the names of private projects if issue-journal details exist that have changes to project_id values.

Information Disclosure

Redmine before 4.0.7 and 4.1.x before 4.1.1

CVE-2020-36308 5.3 - Medium - April 06, 2021

Redmine before 4.0.7 and 4.1.x before 4.1.1 allows attackers to discover the subject of a non-visible issue by performing a CSV export and reading time entries.

Injection

Redmine before 4.0.7 and 4.1.x before 4.1.1 has stored XSS

CVE-2020-36307 6.1 - Medium - April 06, 2021

Redmine before 4.0.7 and 4.1.x before 4.1.1 has stored XSS via textile inline links.

XSS

Redmine before 4.0.7 and 4.1.x before 4.1.1 has stored XSS

CVE-2020-36307 6.1 - Medium - April 06, 2021

Redmine before 4.0.7 and 4.1.x before 4.1.1 has stored XSS via textile inline links.

XSS

Redmine before 4.0.7 and 4.1.x before 4.1.1 has XSS

CVE-2020-36306 6.1 - Medium - April 06, 2021

Redmine before 4.0.7 and 4.1.x before 4.1.1 has XSS via the back_url field.

XSS

Redmine before 4.0.7 and 4.1.x before 4.1.1 has XSS

CVE-2020-36306 6.1 - Medium - April 06, 2021

Redmine before 4.0.7 and 4.1.x before 4.1.1 has XSS via the back_url field.

XSS

Redmine before 3.4.13 and 4.x before 4.0.6 mishandles markup data during Textile formatting.

CVE-2019-25026 5.3 - Medium - April 06, 2021

Redmine before 3.4.13 and 4.x before 4.0.6 mishandles markup data during Textile formatting.

Redmine before 3.4.13 and 4.x before 4.0.6 mishandles markup data during Textile formatting.

CVE-2019-25026 5.3 - Medium - April 06, 2021

Redmine before 3.4.13 and 4.x before 4.0.6 mishandles markup data during Textile formatting.

Redmine 4.1.x before 4.1.2

CVE-2021-29274 6.1 - Medium - March 29, 2021

Redmine 4.1.x before 4.1.2 allows XSS because an issue's subject is mishandled in the auto complete tip.

XSS

A SQL injection vulnerability in Redmine through 3.2.9 and 3.3.x before 3.3.10

CVE-2019-18890 6.5 - Medium - November 21, 2019

A SQL injection vulnerability in Redmine through 3.2.9 and 3.3.x before 3.3.10 allows Redmine users to access protected information via a crafted object query.

SQL Injection

In Redmine before 3.4.11 and 4.0.x before 4.0.4

CVE-2019-17427 6.1 - Medium - October 10, 2019

In Redmine before 3.4.11 and 4.0.x before 4.0.4, persistent XSS exists due to textile formatting errors.

XSS

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for Redmine or by Redmine? Click the Watch button to subscribe.

Redmine
Vendor

Redmine
Product

subscribe