Niubl

**Name of the Vulnerable Software and Affected Versions** Redmine versions prior to 4.0.9 Redmine versions 4.1.x prior to 4.1.3 Redmine versions 4.2.x prior to 4.2.1 **Description** The issue allows attackers to bypass the `add issue notes` permission requirement by leveraging the incoming mail handler. This can enable a remote attacker to impact data integrity. **Recommendations** For Redmine versions prior to 4.0.9, update to version 4.0.9 or later. For Redmine versions 4.1.x prior to 4.1.3, update to version 4.1.3 or later. For Redmine versions 4.2.x prior to 4.2.1, update to version 4.2.1 or later.

**Name of the Vulnerable Software and Affected Versions** Redmine versions prior to 4.0.9 Redmine versions 4.1.x prior to 4.1.3 Redmine versions 4.2.x prior to 4.2.1 **Description** The issue is related to insufficient input validation in the Git repository integration of Redmine, allowing remote attackers to access confidential data. This can enable Redmine users to read arbitrary local files that are accessible by the application server process. **Recommendations** For Redmine versions prior to 4.0.9, update to version 4.0.9 or later. For Redmine versions 4.1.x prior to 4.1.3, update to version 4.1.3 or later. For Redmine versions 4.2.x prior to 4.2.1, update to version 4.2.1 or later.

**Name of the Vulnerable Software and Affected Versions** Redmine versions prior to 4.0.9 Redmine versions 4.1.x prior to 4.1.3 Redmine versions 4.2.x prior to 4.2.1 **Description** The issue is related to the circumvention of allowed filename extensions for uploaded attachments, potentially allowing a remote attacker to impact data integrity. **Recommendations** For Redmine versions prior to 4.0.9, update to version 4.0.9 or later. For Redmine versions 4.1.x prior to 4.1.3, update to version 4.1.3 or later. For Redmine versions 4.2.x prior to 4.2.1, update to version 4.2.1 or later.

**Name of the Vulnerable Software and Affected Versions** Redmine versions 4.0.0 through 4.0.8 Redmine versions 4.1.0 through 4.1.2 **Description** The issue is related to a timing difference in string comparison operations within SysController and MailHandlerController, allowing an attacker to learn internal authentication key values. This can be exploited by a remote attacker to access confidential data. **Recommendations** For Redmine versions 4.0.0 through 4.0.8, update to version 4.0.9 or later. For Redmine versions 4.1.0 through 4.1.2, update to version 4.1.3 or later. As a temporary workaround, consider restricting access to the SysController and MailHandlerController to minimize the risk of exploitation.