CVE-2019-18890

Name of the Vulnerable Software and Affected Versions Redmine versions 3.2.9 and prior, 3.3.x through 3.3.9

Description A SQL injection issue allows users to access protected information via a crafted object query. The vulnerability is related to the lack of protection measures for the SQL query structure, which can be exploited by a remote attacker to gain unauthorized access to protected information.

Recommendations For Redmine versions 3.2.9 and prior, update to version 3.3.10 or later. For Redmine versions 3.3.x through 3.3.9, update to version 3.3.10 or later. As a temporary workaround, consider restricting access to sensitive data and queries until a patch is applied.