|Description||app/views/journals/index.builder in Redmine before 2.6.9, 3.0.x before 3.0.7, and 3.1.x before 3.1.3 allows remote attackers to obtain sensitive information by viewing an Atom feed.|
|Source||CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)|
Vulnerable and fixed packages
The table below lists information on source packages.
|redmine (PTS)||stretch (security), stretch||3.3.1-4+deb9u2||fixed|
The information below is based on the following data on fixed versions.
[squeeze] - redmine <not-affected> (Vulnerable code not present in 1.0.1)
[wheezy] - redmine <end-of-life> (Redmine not supported because of rails)
upstream fixed in 2.6.9, 3.0.6 and 3.1.3