CVE-2015-8346

NameCVE-2015-8346
Descriptionapp/views/timelog/_form.html.erb in Redmine before 2.6.8, 3.0.x before 3.0.6, and 3.1.x before 3.1.2 allows remote attackers to obtain sensitive information about subjects of issues by viewing the time logging form.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-351-1, DSA-3529-1
NVD severitymedium
Debian Bugs806376

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
redmine (PTS)stretch3.3.1-4+deb9u2fixed
stretch (security)3.3.1-4+deb9u3fixed
bullseye, sid4.0.4-3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
redminesource(unstable)3.2.0-1806376
redminesourcejessie3.0~20140825-8~deb8u2DSA-3529-1
redminesourcesqueeze(unfixed)end-of-life
redminesourcewheezy(unfixed)end-of-life

Notes

[wheezy] - redmine <end-of-life> (Redmine not supported because of rails)
[squeeze] - redmine <end-of-life> (Redmine not supported because of rails)
https://www.redmine.org/projects/redmine/wiki/Changelog_3_0
https://www.redmine.org/projects/redmine/wiki/Security_Advisories
https://www.redmine.org/issues/21150 (private)
http://www.openwall.com/lists/oss-security/2015/11/25/1
Commit: https://github.com/redmine/redmine/commit/945a091c94a9ed651f61e225fa8646479478e9d4
Commit: https://github.com/redmine/redmine/commit/c096dde88ff02872ba35edc4dc403c80a7867b5c
For squeeze, the bug is in app/views/timelog/edit.rhtml
upstream fixed in 2.6.8, 3.0.6 and 3.1.2

Search for package or bug name: Reporting problems