Redmine Security Test Results

Site: www.redmine.org

Detailed Analysis

• Remote Code Execution (RCE)

  An RCE vulnerability allows attackers to run arbitrary code on your server. In consequence, this enables them to bypass all Redmine roles and permissions. They may read, change and delete all data stored in the Redmine database. Depending on the server configuration, they may even take over the entire server and do things like delete all backups or send out SPAM messages in your or your company's name.
• Possible RCE escalation bug with Serialized Columns in Active Record

  Critical
  When serialized columns that use YAML (the default) are deserialized, Rails before versions 5.2.8.1 / 6.1.7 used YAML.unsafe_load to convert the YAML data in to Ruby objects. If an attacker can manipulate data in the database (via means like SQL injection), then it may be possible for the attacker to escalate to an RCE.
  Fixed in: 4.2.8, 5.0.3 More details: CVE-2022-32224
• ImageTragick vulnerability

  Critical
  By uploading manipulated images, an attack can take over the server and read and manipulate all data stored within your Redmine, possible even take over the whole machine.
  Fixed in: 3.1.5, 3.2.2 More details: CVE-2016-3714
• Remote Code Execution through Mercurial adapter

  High
  On Redmine installations with active Mercurial repositories, an attacker can take over the server and read and manipulate all data stored within your Redmine, possibly even take over the entire machine.
  Fixed in: 3.2.9, 3.3.6, 3.4.4 More details: CVE-2017-18026

• Information Leak

  By exploiting an information leak, an attacker may see pieces of information, which would otherwise be hidden, effectively circumventing Redmine's roles and permissions.
• Arbitrary file read in Git adapter

  Critical
  On Redmine installations with active Git repositories, an attacker may have been able to extract and read any file readable by the application server.
  Fixed in: 4.0.9, 4.1.3, 4.2.1 More details: CVE-2021-31863
• SQL Injection

  Critical
  A SQL injection vulnerability allows Redmine users to access protected information via a crafted object query.
  Fixed in: 3.3.10, 3.4.0 More details: CVE-2019-18890
• Information Leak in QueryAssociationColumn and QueryAssociationCustomFieldColumn

  High
  A missing visibility check of associated objects in custom queries might allow read access to fields of otherwise unaccessible objects.
  Fixed in: 4.2.7, 5.0.2
• Improper Handling of Unexpected Data Type in Nokogiri

  High
  Nokogiri < v1.13.6 does not type-check all inputs into the XML and HTML4 SAX parsers. For CRuby users, this may allow specially crafted untrusted inputs to cause illegal memory access errors (segfault) or reads from unrelated memory. Updates for Nokogiri are available when using Ruby 2.6 or newer.
  Fixed in: 4.2.6, 5.0.1 More details: CVE-2022-29181
• Possible Information Disclosure / Unintended Method Execution in Action Pack

  High
  There is a possible information disclosure / unintended method execution vulnerability in Action Pack (a dependency of Redmine) when using the redirect_to or polymorphic_url helper with untrusted user input.
  Fixed in: 4.1.4, 4.2.2 More details: CVE-2021-22885
• Watcher list visible with only "Add watchers" permission

  Moderate
  Users who are authorized to add watchers to an issue, wiki page or forum topic may see the list of current watchers of the object even if they do not explicitly have the respective "view watchers" permission.
  Fixed in: 5.0.10, 5.1.4 More details: CVE-2024-47225
• Activities index view is leaking usernames

  Moderate
  Using crafted requests to activities listings, Redmine may disclose the names of all active users.
  Fixed in: 4.1.5, 4.2.3 More details: CVE-2021-42326
• Timing attacks in some key comparisons

  Moderate
  Some key comparision operations in Redmine were vulnerable to timing attacks which might have allowed a determined attacker to learn the keys for the sys API or the incoming mail web service through careful timing of many requests.
  Fixed in: 4.0.9, 4.1.3, 4.2.0 More details: CVE-2021-31866
• Information leak in issue journals

  Moderate
  If an issue was moved between projects, issue journals may have shown the name of previous projects of this issue, even if the current user has no permission to see those projects.
  Fixed in: 4.0.8, 4.1.2 More details: CVE-2021-30163
• Information leak in time entries CSV export

  Moderate
  Under certain circumstances the CSV export might disclose subjects of issues that are not visible to the exporting user.
  Fixed in: 4.0.7, 4.1.1 More details: CVE-2020-36308
• Possible Information Leak / Session Hijack Vulnerability

  Moderate
  By carefully measuring the amount of time it takes to look up a session (timing attack), an attacker may be able to find a valid session id and hijack the session.
  Fixed in: 4.0.6 More details: CVE-2019-16782
• Missing permission check when access a repository via SVN

  Moderate
  Redmine.pm lacks a check for whether the Repository module is enabled in a project's settings, which might allow remote attackers to obtain sensitive differences information or possibly have unspecified other impact.
  Fixed in: 3.2.6, 3.3.3 More details: CVE-2017-15575
• Erroneous rendering of activity views

  Moderate
  Redmine mishandles Time Entry rendering in activity views, which allows remote attackers to obtain sensitive information.
  Fixed in: 3.2.6, 3.3.3 More details: CVE-2017-15576
• Erroneous rendering of wiki links

  Moderate
  Redmine mishandles the rendering of wiki links, which allows remote attackers to obtain sensitive information.
  Fixed in: 3.2.6, 3.3.3 More details: CVE-2017-15577
• Atom feed may contain sensitive information

  Moderate
  Redmine allows remote attackers to obtain sensitive information by viewing an Atom feed.
  Fixed in: 2.6.9, 3.0.7, 3.1.3 More details: CVE-2015-8537
• Issues API may disclose changeset messages that are not visible

  Moderate
  By fetching the issues details via the REST API, an authenticated user may see changeset details, without having the necessary permissions.
  Fixed in: 2.6.8, 3.0.6, 3.1.2 More details: CVE-2015-8473
• Time log form reveals private issue subject

  Moderate
  The time log form can be used to see issue subject for issues, which are inaccessible to the user.
  Fixed in: 2.6.8, 3.0.6, 3.1.2 More details: CVE-2015-8346
• Leaking of project names on error view

  Moderate
  Since the server state was not managed properly in case of an exception, the error page could have contained information from a different user – in this case the list of projects visible to the respective user.
  Fixed in: 2.4.6, 2.5.2
• Double-render error with ApplicationController#find_optional_project

  Low
  By crafting URLs and observing responses to those URLs, an attacker might learn the existence of private projects.
  Fixed in: 4.2.10, 5.0.5
• Improper Restriction of XML External Entity Reference (XXE) in Nokogiri on JRuby

  Low
  In Nokogiri v1.12.4 and earlier, on JRuby only, the SAX parser resolves external entities by default. This security advisory does not apply to CRuby users. When using JRuby, make sure to run at least JRuby 9.2.0 to be able to use the Nokogiri update.
  Fixed in: 4.2.6, 5.0.1 More details: CVE-2021-41098
• Reminder sent to ex-project members

  Low
  Reminder mails were sent to assignees, even if they no longer have access to the issue itself. This may reveal sensitive information.
  Fixed in: 3.2.7, 3.3.4 More details: CVE-2017-16804

• Cross-Site Scripting (XSS)

  By exploiting an XSS vulnerability an attacker may take over your login sessions and do anything your user account would be allowed to do. If they can lure an adminstrator into their trap, they would have access to all the data stored within Redmine, enabling them to read, change and delete everything.
• XSS in Markdown formatter

  High
  By submitting crafted markup to a Redmine which is configured to use the legacy Markdown formatter, an attacker can inject malicious JavaScript code into submitted Markdown text. Depending on the Redmine configuration, this may require prior login with a registered user.
  Fixed in: 4.2.11, 5.0.6 More details: CVE-2023-47258
• XSS in Textile formatter

  High
  By submitting crafted markup to a Redmine which is configured to use Textile formatting, an attacker can inject malicious JavaScript code into submitted Textile text. Depending on the Redmine configuration, this may require prior login with a registered user.
  Fixed in: 4.2.11, 5.0.6 More details: CVE-2023-47259
• XSS in image thumbnails

  High
  By submitting specifically crafted image attachments to a Redmine, an attacker may inject malicious JavaScript code into Redmine which may be executed within the Redmine origin. Depending on the Redmine configuration, this may require prior login with a registered user.
  Fixed in: 4.2.11, 5.0.6 More details: CVE-2023-47260
• Persistent XSS in textile formatting due to blockquote citation

  High
  By submitting crafted markup to a Redmine which is configured to use Textile formatting, an attacker can inject malicious JavaScript code into submitted Textile text. Depending on the Redmine configuration, this may require prior login with a registered user.
  Fixed in: 4.2.9, 5.0.4 More details: CVE-2022-44031
• Persistent XSS in textile formatting

  High
  By submitting crafted markup to a Redmine which is configured to use Textile formatting, an attacker can inject malicious JavaScript code into submitted Textile text. Depending on the Redmine configuration, this may require prior login with a registered user.
  Fixed in: 4.2.9, 5.0.4 More details: CVE-2022-44637
• Persistent XSS vulnerabilities in Textile inline links

  High
  The Textile text formatter did not sufficiently filter link targets for javascript, which allowed plain javascript: link targets through crafted links.
  Fixed in: 4.0.7, 4.1.1 More details: CVE-2020-36307
• Persistent XSS in textile formatting

  High
  Specially crafted input in Redmine Textile text areas would allow an attacker to insert arbitrary Javascript which in turn was executed when any user opens an affected page, e.g. an issue, wiki page, etc.
  Fixed in: 3.3.10, 3.4.11, 4.0.4 More details: CVE-2019-17427
• Incomplete sanitization of multi-value custom fields

  High
  An attacker may use multi-value custom fields to embed malicious code into the issue history, the issue list, or the time log.
  Fixed in: 3.2.8, 3.3.5, 3.4.3 More details: CVE-2017-15568, CVE-2017-15569, CVE-2017-15570, CVE-2017-15571
• Cross-site scripting attack using manipulated SVG images

  High
  An attacker may attach malicious SVG images to issues or comments. When they are displayed to regular users, embeded code would be executed without their knowledge.
  Fixed in: 3.2.6, 3.3.3 More details: CVE-2017-15574
• Incomplete sanitization of Textile and Markdown text

  High
  An attacker may embed malicious code into issue descriptions or comments.
  Fixed in: 3.2.3 More details: CVE-2016-10515
• 3 XSS security vulnerabilities in jQuery UI

  Moderate
  The updated date picker control in jQuery UI 1.13 fixes 3 possible XSS vulnerabilities.
  Fixed in: 4.2.7, 5.0.2 More details: CVE-2021-41182, CVE-2021-41183, CVE-2021-41184
• Possible XSS Vulnerability in Action View tag helpers

  Moderate
  There is a possible XSS vulnerability in Action View tag helpers when passing untrusted input as hash keys.
  Fixed in: 4.2.6, 5.0.1 More details: CVE-2022-27777
• XSS vulnerability due to missing URL validation

  Moderate
  Incomplete validation of return URLs could be used to trick users into making unintended requests.
  Fixed in: 4.0.7, 4.1.1 More details: CVE-2020-36306
• Incomplete sanitization of user supplied text

  Moderate
  An attacker may embed malicious code into issue descriptions or comments.
  Fixed in: 3.4.13, 4.0.6 More details: CVE-2019-25026
• Incomplete sanitization of user supplied text

  Moderate
  An attacker may embed malicious code into issue descriptions or comments.
  Fixed in: 3.2.6, 3.3.3 More details: CVE-2017-15573
• jQuery UI: XSS when refreshing a checkboxradio with an HTML-like initial text label

  Low
  The checkboxradio widget of jQuery UI might erroneously decode HTML entities on refresh. This can lead to potentially executing JavaScript code. This widget is not used by standard Redmine but might be leveraged by plugins.
  Fixed in: 4.2.8, 5.0.3 More details: CVE-2022-31160
• Erroneous Flash rendering

  Low
  Flash messages are not sanitized properly.
  Fixed in: 2.6.2, 3.0.0 More details: CVE-2015-8477

• Denial of Service (DOS)

  In a Denial of Service attack, your Redmine becomes compromised in a way that it does not function properly anymore. Using a Denial of Service vulnerability, attackers may not necessarily obtain or modify any data on the server, but they may render it unresponsive for users or disrupt certain functionality of your Redmine installation.
• Inefficient Regular Expression Complexity in Nokogiri

  High
  Nokogiri < v1.13.4 contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to detect encoding in HTML documents. Updates for Nokogiri are available when using Ruby 2.6 or newer.
  Fixed in: 4.2.6, 5.0.1 More details: CVE-2022-24836
• Update packaged libxml2 and libxslt in Nokogiri

  High
  Updates in the packaged dependencies libxml2 (to 2.9.14) and libxsl (to 1.1.35) of Nokogiri addresses various security issues, having multiple and partially unspecified impact including denial of service, memory disclosure, or code execution. Updates for Nokogiri are available when using Ruby 2.6 or newer.
  Fixed in: 4.2.6, 5.0.1 More details: CVE-2021-30560, CVE-2022-23308, CVE-2022-29824
• Update packaged zlib from 1.2.11 to 1.2.12

  High
  Nokogiri v1.13.4 updates the vendored zlib from 1.2.11 to 1.2.12. zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches. This advisory only applies to the CRuby implementation of Nokogiri and only if the packaged version of zlib is being used.
  Fixed in: 4.2.6, 5.0.1 More details: CVE-2018-25032
• Possible ReDoS vulnerability in query parameter filtering in Action Dispatch

  Moderate
  Carefully crafted query parameters can cause query parameter filtering to take an unexpected amount of time, possibly resulting in a DoS vulnerability.
  Fixed in: 5.0.10, 5.1.4 More details: CVE-2024-41128
• Update packaged libxml2 in Nokogiri

  Moderate
  Updates in the packaged dependencies libxml2 (to 2.10.4) of Nokogiri addresses various security issues, having multiple and partially unspecified impact including dereferencing NULL pointers and potentially segfaulting while parsing untrusted inputs, as well as various logic or memory errors, including double frees. Updates for Nokogiri are available when using Ruby 2.7 or newer.
  Fixed in: 4.2.11, 5.0.6 More details: CVE-2023-29469, CVE-2023-28484
• Various vulnerabilities in Nokogiri

  Moderate
  Various vulnerabilities in Nokigiri and its bundled libxml and libz libraries were fixed in Nokogiri 1.13.10. Updates for Nokogiri are available when using Ruby 2.6 or newer.
  Fixed in: 4.2.10, 5.0.5 More details: CVE-2022-2309, CVE-2022-40304, CVE-2022-40303, CVE-2022-37434, CVE-2022-23476
• Denial of Service Vulnerability in Rails Action View

  Moderate
  Specially crafted accept headers can cause the Action View template location code to consume 100% CPU, causing the Redmine server to be unable to process requests.
  Fixed in: 3.3.10, 3.4.10, 4.0.3 More details: CVE-2019-5419
• Update packaged Xerces Java from 2.12.0 to 2.12.2 in Nokogiri on JRuby

  Low
  Nokogiri v1.13.4 updates the vendored xerces:xercesImpl to handle a case where the XercesJ XML parser when handling specially crafted XML document payloads waits in an infinite loop, which may sometimes consume system resources for prolonged duration. This security advisory does not apply to CRuby users. When using JRuby, make sure to run at least JRuby 9.3.0 to be able to use the Nokogiri update.
  Fixed in: 4.2.6, 5.0.1 More details: CVE-2022-23437
• Denial of Service (DoS) in Nokogiri on JRuby

  Low
  Nokogiri v1.13.4 updates the vendored org.cyberneko.html library which raises a java.lang.OutOfMemoryError exception when parsing ill-formed HTML markup. This security advisory does not apply to CRuby users. When using JRuby, make sure to run at least JRuby 9.3.0 to be able to use the Nokogiri update.
  Fixed in: 4.2.6, 5.0.1 More details: CVE-2022-24839

• File Content Disclosure

  By exploiting a File Content Disclosure vulnerability, attackers may be able to download certain files from your server. In severe cases, hackers could get access to any file they wish, including the files storing your Redmine database or server passwords. In consequence, they might be able to take over the entire server by logging in using a regular user's password.
• File Content Disclosure in Rails Action View

  High
  Specially crafted accept headers in combination with calls to certain URLs within Redmine can cause arbitrary files on the target server to be rendered, disclosing the file contents.
  Fixed in: 3.3.10, 3.4.10, 4.0.3 More details: CVE-2019-5418

• Privilege Escalation

  By exploiting a privilege escalation vulnerability, an attacker may be able to perform actions which they would otherwise not be allowed to perform, effectively circumventing Redmine's roles and permissions.
• Insufficient permission checks when adding attachments to issues

  Moderate
  Due to missing permission checks, Redmine might allow unauthorized users to add attachments to issues when could not otherwise edit. Accessing existing attachments is not affected by this.
  Fixed in: 4.2.10, 5.0.5
• no-permission-check option in mail handler allows issue creation in closed/archived projects

  Moderate
  Setting --no-permission-check in the mail receiver allows creating issues and probably other objects in closed and archived projects.
  Fixed in: 4.2.7, 5.0.2
• Allowed filename extensions of attachments can be circumvented

  Moderate
  The global setting to restrict uploaded files to only selected file extensions could be circumvented if the user is allowed to rename file attachments.
  Fixed in: 4.0.9, 4.1.3, 4.2.1 More details: CVE-2021-31865

• Server Side Request Forgery (SSRF)

  In a Server-Side Request Forgery (SSRF) attack, the attacker can abuse functionality on the server to read or update internal resources. The attacker can supply or modify a URL which the code running on the server will read or submit data to, and by carefully selecting the URLs, the attacker may be able to read server configuration such as AWS metadata, connect to internal services like http enabled databases or perform post requests towards internal services which are not intended to be exposed.
• Ruby OpenID security update

  Moderate
  Ruby OpenID (aka ruby-openid) is used by Redmine to integrate with OpenID Providers. ruby-openid performed discovery first, and then verification. This allowed an attacker to change the URL used for discovery and trick the server into connecting to the URL. This server in turn could be a private server not publicly accessible.
  Fixed in: 3.3.10, 3.4.12, 4.0.5 More details: CVE-2019-11027

• Reset tokens may leak to other websites

  Moderate
  Since the password reset tokens were part of the web address, users which follow links from the password reset page to other web sites, leak the token to these websites. It will appear in the log files of those external websites.
  Fixed in: 3.2.6, 3.3.3 More details: CVE-2017-15572

• Open Redirect

  By exploiting an open redirect vulnerability an attacker may lure a user on to a phishing site (e.g. a fake login form) using a legitimately looking link. This usually increases the likelihood of users to fall for this kind of attack. With a stolen password, the attacker may take over the user's account and view, change or delete anything the user would be allowed to.
• Redirect after login not verified properly

  Moderate
  Since the redirect URL after login is not checked properly an attacker is able to lure users into phishing attacks.
  Fixed in: 2.6.7, 3.0.5, 3.1.1 More details: CVE-2015-8474

How this works

Redmine Security Scanner tries to determine the version of your Redmine installation and it will list all known security vulnerabilities for that version. In addition, it will check your server configuration and make sure everything is set up securely.

Based on the results of these checks, Redmine Security Scanner will assign one of the following grades:

A+

Your Redmine installation is up to date, protected by properly configured TLS/SSL, not accessible via an unencrypted connection and all security relevant server headers are configured properly. Well done!

A

Your Redmine installation is up to date, protected by properly configured TLS/SSL and not accessible via an unencrypted connection. However you are missing some security relevant server headers which we recommend to further harden your server.

B

Your Redmine installation is up to date, protected by SSL but you are using a self-signed or untrusted certificate. This may lead to security warnings in your browser. Attackers may use this for phishing attacks and steal your user's passwords.

C

Your Redmine installation is up to date, but it's accessible via an unencrypted plain text HTTP connection. Attackers in the same (wireless) network as your users can easily intercept all traffic and steal your user's passwords. Servers with enabled TLS/SSL will get the same rating if unencrypted access is possible as well.

D

Your Redmine installation is too old and is vulnerable to at least one security issue of low severity.

E

Your Redmine installation is too old and is vulnerable to at least one security issue of moderate severity.

F

Your Redmine installation is too old and is vulnerable to at least one security issue of critical or high severity.