Redmine Security Report for version 6.0.0
Redmine 6.0.0 was released over 1 year ago on November 11, 2024. It is subject to 19 known vulnerabilities.
What now?
We strongly recommend you update your Redmine to the latest version.
Not enough time to keep Redmine secure?
Move to Professionally Hosted Redmine by Planio.
Move to Professionally Hosted Redmine by Planio.
Detailed Analysis
-
Remote Code Execution (RCE)
An RCE vulnerability allows attackers to run arbitrary code on your server. In consequence, this enables them to bypass all Redmine roles and permissions. They may read, change and delete all data stored in the Redmine database. Depending on the server configuration, they may even take over the entire server and do things like delete all backups or send out SPAM messages in your or your company's name. -
PostScript disguised as PDF can lead to arbitrary file operations via thumbnail generationCriticalSome specifically crafted PostScript files may be confused with a PDF file during thumbnail creation. This can cause the content of arbitrary files on the target server to be rendered, disclosing the file contents, or may allow to overwrite arbitrary files writeable by the Redmine user or possibly even arbitrary remote code execution which may allow an attacker to entirely take over the server.
-
Multiple vulnerabilities in Nokogiri / libxml2LowUpdates in the packaged dependencies libxml2 (to 2.13.6) of Nokogiri addresses multiple security issues, including a possible stack-buffer overflow when reporting DTD validation errors and a possible use-after-free during validation against untrusted XML Schemas (.xsd) and, potentially, validation of untrusted documents against trusted Schemas. Updates for Nokogiri are available when using Ruby 3.1 or newer.
-
Cross-Site Scripting (XSS)
By exploiting an XSS vulnerability an attacker may take over your login sessions and do anything your user account would be allowed to do. If they can lure an adminstrator into their trap, they would have access to all the data stored within Redmine, enabling them to read, change and delete everything. -
(Stored) XSS in @mention autocomplete via unescaped user nameHighDue to incomplete sanitization of user names in the @mention autocomplete feature, a malicious user may cause another user to inject malicious JavaScript code into the DOM while editing a text field.
-
XSS in macrosHighBy submitting specifically crafted macro statements to Redmine, an attacker may inject malicious JavaScript code into Redmine which may be executed within the Redmine origin. Depending on the Redmine configuration, this may require prior login with a registered user.
-
XSS in custom queryHighBy saving a custom query with a specifically crafted name, an attacker may inject malicious JavaScript code into Redmine which may be executed within the Redmine origin when a user clicks on the saved query. Depending on the Redmine configuration, this may require prior login with a registered user and permissions to save a public query.Fixed in:
6.0.4 -
DOM XSS: HTML Injection via Custom Field Name in Query Filter GenerationLowDue to missing sanitization, malicious custom field names may cause arbitrary JavaScript code to be executed when adding a filter for that field. Custom fields can only be edited by administrators.
-
Information Leak
By exploiting an information leak, an attacker may see pieces of information, which would otherwise be hidden, effectively circumventing Redmine's roles and permissions. -
Information disclosure in Two-Factor AuthenticationHighIf Two-Factor authentication is configured for a user, the TOTP setup code could be viewed again from a logged in session which could allow an attacker with access to a logged-in user session to copy the TOTP code.
-
ProjectQuery leaks details of private projectsHighBy crafting a specific URL to a project query, an attacker with the permissions to see any projects may gather details of all projects in Redmine, including the name, description, status and any project custom fields. Depending on the Redmine configuration, this may require prior login with a registered user.
-
Directory Traversal via Backslash-Separated Paths in Filesystem SCMModerateWhen using a filesystem SCM type on filesystems using a backslash as a path separator (e.g. Windows), a user with read access to the repository may retrieve directory listings outside the repository root. File access outside the repository root is not possible.
-
LDAP Injection (Unescaped Input in LDAP Search Filter)ModerateDue to insufficient escaping, an attacker with knowledge of an existing valid password may learn details about the user with that password. This requires an active LDAP auth source with "On-the-fly user creation" enabled.
-
Users who are allowed to view only their own time entries can retrieve other users’ time entry details by directly specifying the TimeEntry ID via the REST APIModerateUsers who are allowed to view only their own time entries can retrieve other users’ time entry details by directly specifying the TimeEntry ID via the REST API
-
Information disclusure when copying issuesModerateWhen copying issues, all existing custom values are set to the new issue without sufficient validation. Deopending on the configured custom field visibility, this may allow users with the permission to copy issues to see more custom field values of existing issues.
-
Username and password stored in login formLowPages where passwords can be entered may be cached by browsers, allowing the use of the browser's Back button by a physically present attacker in order to reveal the entered passwords in an open browser window even after logout.
-
Privilege Escalation
By exploiting a privilege escalation vulnerability, an attacker may be able to perform actions which they would otherwise not be allowed to perform, effectively circumventing Redmine's roles and permissions. -
Authorization bypass in Redmine allows modification of attachment metadata on invisible issuesModerateIf a user has the permission to edit an issue, the user was able to modify metadata of issue attachments, including filename and description of the attachment, even if they are not able to view the issue.
-
Authorization bypass in Redmine allows deletion of attachment on invisible issuesModerateIf a user has the permission to edit an issue, the user was able to delete attachments of the issue, even if they are not able to view the issue.
-
/my/account does not correctly enforce sudo modeModerateDue to insufficient checks, a password confirmation may not be required in all cases then changing the email address or other user settings of the current user.
-
Unchecked return value from xmlC14NExecute in NokogiriLowNokigiri may incorrectly return an empty string instead of raising an exception during canonicalizationof pasred XML
-
Denial of Service (DOS)
In a Denial of Service attack, your Redmine becomes compromised in a way that it does not function properly anymore. Using a Denial of Service vulnerability, attackers may not necessarily obtain or modify any data on the server, but they may render it unresponsive for users or disrupt certain functionality of your Redmine installation. -
Multiple vulnerabilities in Nokogiri / libxml2LowNokogiri v1.18.9 patches the vendored libxml2 to address CVE-2025-6021, CVE-2025-6170, CVE-2025-49794, CVE-2025-49795, and CVE-2025-49796.Fixed in:
5.1.12,6.0.9,6.1.2More details: CVE-2025-6021, CVE-2025-6170, CVE-2025-49794, CVE-2025-49795, CVE-2025-49796 -
DoS vulnerability in net-imapLowThere is a possibility for denial of service by memory exhaustion when net-imap reads server responses from a malicious IMAP server. This should not be an issue when securely connecting to trusted IMAP servers that are well-behaved.