CVE-2021-30164

Name of the Vulnerable Software and Affected Versions Redmine versions prior to 4.0.8 Redmine versions 4.1.x prior to 4.1.2

Description The issue is related to permission handling errors in the Redmine project and task management web application. Exploitation of this issue allows a remote attacker to access confidential data, compromise its integrity, and cause a denial of service. The vulnerability can be exploited by leveraging the Issues API to bypass the add issue notes permission requirement.

Recommendations For Redmine versions prior to 4.0.8, update to version 4.0.8 or later. For Redmine versions 4.1.x prior to 4.1.2, update to version 4.1.2 or later. As a temporary workaround, consider restricting access to the Issues API until a patch is available.