Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 780651 (CVE-2021-30163, CVE-2021-30164) - www-apps/redmine: multiple vulnerabilities
Summary: www-apps/redmine: multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2021-30163, CVE-2021-30164
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL:
Whiteboard: ~4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-04-06 17:52 UTC by John Helmert III
Modified: 2021-04-28 21:16 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III gentoo-dev Security 2021-04-06 17:52:21 UTC
CVE-2021-30163:

Redmine before 4.0.8 and 4.1.x before 4.1.2 allows attackers to discover the names of private projects if issue-journal details exist that have changes to project_id values.

CVE-2021-30164:

Redmine before 4.0.8 and 4.1.x before 4.1.2 allows attackers to bypass the add_issue_notes permission requirement by leveraging the Issues API.


Fixes in 4.1.2, please bump.
Comment 1 Azamat H. Hackimov 2021-04-08 16:46:01 UTC
See https://github.com/gentoo/gentoo/pull/20145