CVE-2021-42326

EUVD-2021-29300
Redmine before 4.1.5 and 4.2.x before 4.2.3 may disclose the names of users on activity views due to an insufficient access filter.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 65%
Affected Products (NVD)
VendorProductVersion
redmineredmine
𝑥
< 4.1.5
redmineredmine
4.2.0 ≤
𝑥
< 4.2.3
debiandebian_linux
9.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
redmine
bookworm
5.0.4-5+deb12u1
fixed
bookworm (security)
5.0.4-5+deb12u1
fixed
sid
5.0.4-7
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
redmine
bionic
needs-triage
focal
needs-triage
kinetic
ignored
lunar
ignored
mantic
ignored
noble
dne
trusty
ignored
xenial
needs-triage
References
https://lists.debian.org/debian-lts-announce/2021/10/msg00013.html
https://www.redmine.org/news/133
https://www.redmine.org/projects/redmine/wiki/Changelog_4_1#415-2021-10-10
https://www.redmine.org/projects/redmine/wiki/Changelog_4_2#423-2021-10-10
https://www.redmine.org/projects/redmine/wiki/Security_Advisories
https://lists.debian.org/debian-lts-announce/2021/10/msg00013.html
https://www.redmine.org/news/133
https://www.redmine.org/projects/redmine/wiki/Changelog_4_1#415-2021-10-10
https://www.redmine.org/projects/redmine/wiki/Changelog_4_2#423-2021-10-10
https://www.redmine.org/projects/redmine/wiki/Security_Advisories