Redmine Security Report for version 4.2.11

Redmine 4.2.11 was released almost 2 years ago on September 30, 2023. It is subject to 4 known vulnerabilities.

We strongly recommend you update your Redmine to the latest version.

Not enough time to keep Redmine secure?
Move to Professionally Hosted Redmine by Planio.

Detailed Analysis

Privilege Escalation

By exploiting a privilege escalation vulnerability, an attacker may be able to perform actions which they would otherwise not be allowed to perform, effectively circumventing Redmine's roles and permissions.
/my/account does not correctly enforce sudo mode

Moderate

Due to insufficient checks, a password confirmation may not be required in all cases then changing the email address or other user settings of the current user.

Fixed in: 5.0.12, 5.1.7, 6.0.4

Information Leak

By exploiting an information leak, an attacker may see pieces of information, which would otherwise be hidden, effectively circumventing Redmine's roles and permissions.
Watcher list visible with only "Add watchers" permission

Moderate

Users who are authorized to add watchers to an issue, wiki page or forum topic may see the list of current watchers of the object even if they do not explicitly have the respective "view watchers" permission.

Fixed in: 5.0.10, 5.1.4 More details: CVE-2024-47225

Denial of Service (DOS)

In a Denial of Service attack, your Redmine becomes compromised in a way that it does not function properly anymore. Using a Denial of Service vulnerability, attackers may not necessarily obtain or modify any data on the server, but they may render it unresponsive for users or disrupt certain functionality of your Redmine installation.
Possible ReDoS vulnerability in query parameter filtering in Action Dispatch

Moderate

Carefully crafted query parameters can cause query parameter filtering to take an unexpected amount of time, possibly resulting in a DoS vulnerability.

Fixed in: 5.0.10, 5.1.4 More details: CVE-2024-41128

Remote Code Execution (RCE)

An RCE vulnerability allows attackers to run arbitrary code on your server. In consequence, this enables them to bypass all Redmine roles and permissions. They may read, change and delete all data stored in the Redmine database. Depending on the server configuration, they may even take over the entire server and do things like delete all backups or send out SPAM messages in your or your company's name.
Multiple vulnerabilities in Nokogiri / libxml2

Low

Updates in the packaged dependencies libxml2 (to 2.13.6) of Nokogiri addresses multiple security issues, including a possible stack-buffer overflow when reporting DTD validation errors and a possible use-after-free during validation against untrusted XML Schemas (.xsd) and, potentially, validation of untrusted documents against trusted Schemas. Updates for Nokogiri are available when using Ruby 3.1 or newer.

Fixed in: 5.0.12, 5.1.7, 6.0.4 More details: CVE-2025-24928, CVE-2024-56171