CVE-2021-31865

EUVD-2021-18740
Redmine before 4.0.9, 4.1.x before 4.1.3, and 4.2.x before 4.2.1 allows users to circumvent the allowed filename extensions of uploaded attachments.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 59%
Affected Products (NVD)
VendorProductVersion
redmineredmine
𝑥
< 4.0.9
redmineredmine
4.1.0 ≤
𝑥
< 4.1.3
redmineredmine
4.2.0 ≤
𝑥
< 4.2.1
debiandebian_linux
9.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
redmine
bookworm
5.0.4-5+deb12u1
fixed
bookworm (security)
5.0.4-5+deb12u1
fixed
sid
5.0.4-7
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
redmine
bionic
needs-triage
focal
needs-triage
groovy
ignored
hirsute
dne
impish
dne
jammy
dne
kinetic
ignored
lunar
ignored
mantic
ignored
noble
dne
trusty
dne
xenial
needs-triage
References
https://lists.debian.org/debian-lts-announce/2021/05/msg00013.html
https://www.redmine.org/news/131
https://www.redmine.org/projects/redmine/wiki/Security_Advisories
https://lists.debian.org/debian-lts-announce/2021/05/msg00013.html
https://www.redmine.org/news/131
https://www.redmine.org/projects/redmine/wiki/Security_Advisories