Redmine Security Report for version 3.3.10
Redmine 3.3.10 was released over 4 years ago on November 18, 2019. It is subject to 35 known vulnerabilities.
What now?
We strongly recommend you update your Redmine to the latest version.
Not enough time to keep Redmine secure?
Move to Professionally Hosted Redmine by Planio.
Move to Professionally Hosted Redmine by Planio.
Detailed Analysis
-
Remote Code Execution (RCE)
An RCE vulnerability allows attackers to run arbitrary code on your server. In consequence, this enables them to bypass all Redmine roles and permissions. They may read, change and delete all data stored in the Redmine database. Depending on the server configuration, they may even take over the entire server and do things like delete all backups or send out SPAM messages in your or your company's name. -
Possible RCE escalation bug with Serialized Columns in Active RecordCriticalWhen serialized columns that use YAML (the default) are deserialized, Rails before versions 5.2.8.1 / 6.1.7 used YAML.unsafe_load to convert the YAML data in to Ruby objects. If an attacker can manipulate data in the database (via means like SQL injection), then it may be possible for the attacker to escalate to an RCE.
-
Information Leak
By exploiting an information leak, an attacker may see pieces of information, which would otherwise be hidden, effectively circumventing Redmine's roles and permissions. -
Arbitrary file read in Git adapterCriticalOn Redmine installations with active Git repositories, an attacker may have been able to extract and read any file readable by the application server.
-
Information Leak in QueryAssociationColumn and QueryAssociationCustomFieldColumnHighA missing visibility check of associated objects in custom queries might allow read access to fields of otherwise unaccessible objects.
-
Improper Handling of Unexpected Data Type in NokogiriHighNokogiri < v1.13.6 does not type-check all inputs into the XML and HTML4 SAX parsers. For CRuby users, this may allow specially crafted untrusted inputs to cause illegal memory access errors (segfault) or reads from unrelated memory. Updates for Nokogiri are available when using Ruby 2.6 or newer.
-
Possible Information Disclosure / Unintended Method Execution in Action PackHighThere is a possible information disclosure / unintended method execution vulnerability in Action Pack (a dependency of Redmine) when using the redirect_to or polymorphic_url helper with untrusted user input.
-
Activities index view is leaking usernamesModerateUsing crafted requests to activities listings, Redmine may disclose the names of all active users.
-
Timing attacks in some key comparisonsModerateSome key comparision operations in Redmine were vulnerable to timing attacks which might have allowed a determined attacker to learn the keys for the sys API or the incoming mail web service through careful timing of many requests.
-
Information leak in issue journalsModerateIf an issue was moved between projects, issue journals may have shown the name of previous projects of this issue, even if the current user has no permission to see those projects.
-
Information leak in time entries CSV exportModerateUnder certain circumstances the CSV export might disclose subjects of issues that are not visible to the exporting user.
-
Possible Information Leak / Session Hijack VulnerabilityModerateBy carefully measuring the amount of time it takes to look up a session (timing attack), an attacker may be able to find a valid session id and hijack the session.Fixed in:
4.0.6
More details: CVE-2019-16782 -
Double-render error with ApplicationController#find_optional_projectLowBy crafting URLs and observing responses to those URLs, an attacker might learn the existence of private projects.
-
Improper Restriction of XML External Entity Reference (XXE) in Nokogiri on JRubyLowIn Nokogiri v1.12.4 and earlier, on JRuby only, the SAX parser resolves external entities by default. This security advisory does not apply to CRuby users. When using JRuby, make sure to run at least JRuby 9.2.0 to be able to use the Nokogiri update.
-
Cross-Site Scripting (XSS)
By exploiting an XSS vulnerability an attacker may take over your login sessions and do anything your user account would be allowed to do. If they can lure an adminstrator into their trap, they would have access to all the data stored within Redmine, enabling them to read, change and delete everything. -
XSS in Markdown formatterHighBy submitting crafted markup to a Redmine which is configured to use the legacy Markdown formatter, an attacker can inject malicious JavaScript code into submitted Markdown text. Depending on the Redmine configuration, this may require prior login with a registered user.
-
XSS in Textile formatterHighBy submitting crafted markup to a Redmine which is configured to use Textile formatting, an attacker can inject malicious JavaScript code into submitted Textile text. Depending on the Redmine configuration, this may require prior login with a registered user.
-
XSS in image thumbnailsHighBy submitting specifically crafted image attachments to a Redmine, an attacker may inject malicious JavaScript code into Redmine which may be executed within the Redmine origin. Depending on the Redmine configuration, this may require prior login with a registered user.
-
Persistent XSS in textile formatting due to blockquote citationHighBy submitting crafted markup to a Redmine which is configured to use Textile formatting, an attacker can inject malicious JavaScript code into submitted Textile text. Depending on the Redmine configuration, this may require prior login with a registered user.
-
Persistent XSS in textile formattingHighBy submitting crafted markup to a Redmine which is configured to use Textile formatting, an attacker can inject malicious JavaScript code into submitted Textile text. Depending on the Redmine configuration, this may require prior login with a registered user.
-
Persistent XSS vulnerabilities in Textile inline linksHighThe Textile text formatter did not sufficiently filter link targets for javascript, which allowed plain javascript: link targets through crafted links.
-
3 XSS security vulnerabilities in jQuery UIModerateThe updated date picker control in jQuery UI 1.13 fixes 3 possible XSS vulnerabilities.
-
Possible XSS Vulnerability in Action View tag helpersModerateThere is a possible XSS vulnerability in Action View tag helpers when passing untrusted input as hash keys.
-
XSS vulnerability due to missing URL validationModerateIncomplete validation of return URLs could be used to trick users into making unintended requests.
-
Incomplete sanitization of user supplied textModerateAn attacker may embed malicious code into issue descriptions or comments.
-
jQuery UI: XSS when refreshing a checkboxradio with an HTML-like initial text labelLowThe checkboxradio widget of jQuery UI might erroneously decode HTML entities on refresh. This can lead to potentially executing JavaScript code. This widget is not used by standard Redmine but might be leveraged by plugins.
-
Denial of Service (DOS)
In a Denial of Service attack, your Redmine becomes compromised in a way that it does not function properly anymore. Using a Denial of Service vulnerability, attackers may not necessarily obtain or modify any data on the server, but they may render it unresponsive for users or disrupt certain functionality of your Redmine installation. -
Inefficient Regular Expression Complexity in NokogiriHighNokogiri < v1.13.4 contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to detect encoding in HTML documents. Updates for Nokogiri are available when using Ruby 2.6 or newer.
-
Update packaged libxml2 and libxslt in NokogiriHighUpdates in the packaged dependencies libxml2 (to 2.9.14) and libxsl (to 1.1.35) of Nokogiri addresses various security issues, having multiple and partially unspecified impact including denial of service, memory disclosure, or code execution. Updates for Nokogiri are available when using Ruby 2.6 or newer.
-
Update packaged zlib from 1.2.11 to 1.2.12HighNokogiri v1.13.4 updates the vendored zlib from 1.2.11 to 1.2.12. zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches. This advisory only applies to the CRuby implementation of Nokogiri and only if the packaged version of zlib is being used.
-
Update packaged libxml2 in NokogiriModerateUpdates in the packaged dependencies libxml2 (to 2.10.4) of Nokogiri addresses various security issues, having multiple and partially unspecified impact including dereferencing NULL pointers and potentially segfaulting while parsing untrusted inputs, as well as various logic or memory errors, including double frees. Updates for Nokogiri are available when using Ruby 2.7 or newer.
-
Various vulnerabilities in NokogiriModerateVarious vulnerabilities in Nokigiri and its bundled libxml and libz libraries were fixed in Nokogiri 1.13.10. Updates for Nokogiri are available when using Ruby 2.6 or newer.Fixed in:
4.2.10
,5.0.5
More details: CVE-2022-2309, CVE-2022-40304, CVE-2022-40303, CVE-2022-37434, CVE-2022-23476 -
Update packaged Xerces Java from 2.12.0 to 2.12.2 in Nokogiri on JRubyLowNokogiri v1.13.4 updates the vendored xerces:xercesImpl to handle a case where the XercesJ XML parser when handling specially crafted XML document payloads waits in an infinite loop, which may sometimes consume system resources for prolonged duration. This security advisory does not apply to CRuby users. When using JRuby, make sure to run at least JRuby 9.3.0 to be able to use the Nokogiri update.
-
Denial of Service (DoS) in Nokogiri on JRubyLowNokogiri v1.13.4 updates the vendored org.cyberneko.html library which raises a java.lang.OutOfMemoryError exception when parsing ill-formed HTML markup. This security advisory does not apply to CRuby users. When using JRuby, make sure to run at least JRuby 9.3.0 to be able to use the Nokogiri update.
-
Privilege Escalation
By exploiting a privilege escalation vulnerability, an attacker may be able to perform actions which they would otherwise not be allowed to perform, effectively circumventing Redmine's roles and permissions. -
Insufficient permission checks when adding attachments to issuesModerateDue to missing permission checks, Redmine might allow unauthorized users to add attachments to issues when could not otherwise edit. Accessing existing attachments is not affected by this.
-
no-permission-check option in mail handler allows issue creation in closed/archived projectsModerateSetting --no-permission-check in the mail receiver allows creating issues and probably other objects in closed and archived projects.
-
Allowed filename extensions of attachments can be circumventedModerateThe global setting to restrict uploaded files to only selected file extensions could be circumvented if the user is allowed to rename file attachments.
-
Mail handler bypasses "Add notes" permissionLowOn Redmine installations with configured incoming emails, due to an incomplete permission check, Redmine allowed to add journal notes to issues even if the user did not have the "Add notes" permission but had the "Edit issues" permission.
-
Privilege escalation while adding issue notesLowDue to an incomplete permission check, Redmine allowed to add journal notes to issues even if the user did not have the "Add notes" permission but had the "Edit issues" permission.