CVE-2015-8346

NameCVE-2015-8346
Descriptionapp/views/timelog/_form.html.erb in Redmine before 2.6.8, 3.0.x before 3.0.6, and 3.1.x before 3.1.2 allows remote attackers to obtain sensitive information about subjects of issues by viewing the time logging form.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-351-1, DSA-3529-1
NVD severitymedium (attack range: remote)
Debian Bugs806376

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
redmine (PTS)wheezy1.4.4+dfsg1-2+deb7u1vulnerable
jessie3.0~20140825-8~deb8u4fixed
jessie (security)3.0~20140825-8~deb8u2fixed
stretch3.3.1-4fixed
sid3.4.2-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
redminesource(unstable)3.2.0-1medium806376
redminesourcejessie3.0~20140825-8~deb8u2mediumDSA-3529-1
redminesourcesqueeze(unfixed)end-of-life
redminesourcewheezy(unfixed)end-of-life

Notes

[wheezy] - redmine <end-of-life> (Redmine not supported because of rails)
[squeeze] - redmine <end-of-life> (Redmine not supported because of rails)
https://www.redmine.org/projects/redmine/wiki/Changelog_3_0
https://www.redmine.org/projects/redmine/wiki/Security_Advisories
https://www.redmine.org/issues/21150 (private)
http://www.openwall.com/lists/oss-security/2015/11/25/1
Commit: https://github.com/redmine/redmine/commit/945a091c94a9ed651f61e225fa8646479478e9d4
Commit: https://github.com/redmine/redmine/commit/c096dde88ff02872ba35edc4dc403c80a7867b5c
For squeeze, the bug is in app/views/timelog/edit.rhtml
upstream fixed in 2.6.8, 3.0.6 and 3.1.2

Search for package or bug name: Reporting problems