CVE-2022-44030

Name of the Vulnerable Software and Affected Versions Redmine versions 5.x before 5.0.4

Description The issue is related to incorrect handling of exceptional states in the Redmine web application for project and task management. It may allow a remote attacker to upload and execute arbitrary files. The vulnerability is due to insufficient permission checks, which can allow downloading of file attachments from any Issue or Wiki page. Depending on the configuration, exploitation may require login as a registered user.

Recommendations For Redmine versions 5.x before 5.0.4, update to version 5.0.4 or later to resolve the issue. As a temporary workaround, consider restricting access to file attachments in Issues and Wiki pages to minimize the risk of exploitation. Additionally, ensure that permission checks are properly configured to prevent unauthorized access.