CVE-2021-31866

CVSS v3.1

5.3

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions Redmine versions 4.0.0 through 4.0.8 Redmine versions 4.1.0 through 4.1.2

Description The issue is related to a timing difference in string comparison operations within SysController and MailHandlerController, allowing an attacker to learn internal authentication key values. This can be exploited by a remote attacker to access confidential data.

Recommendations For Redmine versions 4.0.0 through 4.0.8, update to version 4.0.9 or later. For Redmine versions 4.1.0 through 4.1.2, update to version 4.1.3 or later. As a temporary workaround, consider restricting access to the SysController and MailHandlerController to minimize the risk of exploitation.

Fix

Side Channel Attack

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-203

Related Identifiers

BDU:2021-05266

BIT-REDMINE-2021-31866

CVE-2021-31866

DLA-2658-1

Affected Products

Redmine

CVE-2021-31866

Weakness Enumeration

Related Identifiers

Affected Products

References · 20