CVE-2015-8473

NameCVE-2015-8473
DescriptionThe Issues API in Redmine before 2.6.8, 3.0.x before 3.0.6, and 3.1.x before 3.1.2 allows remote authenticated users to obtain sensitive information in changeset messages by leveraging permission to read issues with related changesets from other projects.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
ReferencesDSA-3529-1
NVD severitymedium (attack range: remote)
Debian Bugs807345

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
redmine (PTS)wheezy1.4.4+dfsg1-2+deb7u1vulnerable
jessie3.0~20140825-8~deb8u4fixed
jessie (security)3.0~20140825-8~deb8u2fixed
stretch, sid3.3.1-4fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
redminesource(unstable)3.2.0-1medium807345
redminesourcejessie3.0~20140825-8~deb8u2mediumDSA-3529-1
redminesourcesqueeze(not affected)
redminesourcewheezy(unfixed)end-of-life

Notes

[squeeze] - redmine <not-affected> (code dates from the API changes introduced in 735a83c, part of 1.1)
[wheezy] - redmine <end-of-life> (Redmine not supported because of rails)
https://www.redmine.org/projects/redmine/wiki/Changelog_3_0
https://www.redmine.org/issues/21136
http://www.openwall.com/lists/oss-security/2015/12/03/7
https://github.com/redmine/redmine/commit/8d8f612fa368a72c56b63f7ce6b7e98cab9feb22

Search for package or bug name: Reporting problems