CVE-2012-2054
First published: Thu Apr 05 2012(Updated: )
Redmine before 1.3.2 does not properly restrict the use of a hash to provide values for a model's attributes, which allows remote attackers to set attributes in the (1) Comment, (2) Document, (3) IssueCategory, (4) MembersController, (5) Message, (6) News, (7) TimeEntry, (8) Version, (9) Wiki, (10) UserPreference, or (11) Board model via a modified URL, related to a "mass assignment" vulnerability, a different vulnerability than CVE-2012-0327.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Redmine | <=1.3.1 | |
| Redmine | =0.1.0 | |
| Redmine | =0.2.1 | |
| Redmine | =0.2.2 | |
| Redmine | =0.3.0 | |
| Redmine | =0.4.0 | |
| Redmine | =0.4.1 | |
| Redmine | =0.4.2 | |
| Redmine | =0.5.0 | |
| Redmine | =0.5.1 | |
| Redmine | =0.6.0 | |
| Redmine | =0.6.1 | |
| Redmine | =0.6.2 | |
| Redmine | =0.6.3 | |
| Redmine | =0.6.4 | |
| Redmine | =0.7.0 | |
| Redmine | =0.7.0-rc1 | |
| Redmine | =0.7.1 | |
| Redmine | =0.7.2 | |
| Redmine | =0.7.3 | |
| Redmine | =0.7.4 | |
| Redmine | =0.8.0 | |
| Redmine | =0.8.0-rc1 | |
| Redmine | =0.8.1 | |
| Redmine | =0.8.2 | |
| Redmine | =0.8.3 | |
| Redmine | =0.8.4 | |
| Redmine | =0.8.5 | |
| Redmine | =0.8.6 | |
| Redmine | =0.8.7 | |
| Redmine | =0.9.0 | |
| Redmine | =0.9.1 | |
| Redmine | =0.9.2 | |
| Redmine | =0.9.3 | |
| Redmine | =0.9.4 | |
| Redmine | =0.9.5 | |
| Redmine | =0.9.6 | |
| Redmine | =1.0.0 | |
| Redmine | =1.0.1 | |
| Redmine | =1.0.2 | |
| Redmine | =1.0.3 | |
| Redmine | =1.0.4 | |
| Redmine | =1.0.5 | |
| Redmine | =1.1.0 | |
| Redmine | =1.1.1 | |
| Redmine | =1.1.2 | |
| Redmine | =1.1.3 | |
| Redmine | =1.2.0 | |
| Redmine | =1.2.1 | |
| Redmine | =1.2.2 | |
| Redmine | =1.2.3 | |
| Redmine | =1.3.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2012-2054?
CVE-2012-2054 has a moderate severity level as it allows remote attackers to manipulate model attributes in Redmine.
How do I fix CVE-2012-2054?
To fix CVE-2012-2054, upgrade Redmine to version 1.3.2 or later.
Which versions of Redmine are affected by CVE-2012-2054?
CVE-2012-2054 affects Redmine versions prior to 1.3.2, including 0.1.0 through 1.3.1.
What types of attributes can be manipulated due to CVE-2012-2054?
CVE-2012-2054 allows manipulation of attributes including Comment, Document, IssueCategory, Message, and more.
Is there any validation issue related to CVE-2012-2054?
Yes, CVE-2012-2054 is caused by insufficient validation of attributes being set via a hash.
- agent/type
- agent/first-publish-date
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/severity
- agent/references
- agent/weakness
- agent/description
- agent/author
- agent/event
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/redmine
- canonical/redmine
- version/redmine/1.3.1
- version/redmine/0.1.0
- version/redmine/0.2.1
- version/redmine/0.2.2
- version/redmine/0.3.0
- version/redmine/0.4.0
- version/redmine/0.4.1
- version/redmine/0.4.2
- version/redmine/0.5.0
- version/redmine/0.5.1
- version/redmine/0.6.0
- version/redmine/0.6.1
- version/redmine/0.6.2
- version/redmine/0.6.3
- version/redmine/0.6.4
- version/redmine/0.7.0
- version/redmine/0.7.0-rc1
- version/redmine/0.7.1
- version/redmine/0.7.2
- version/redmine/0.7.3
- version/redmine/0.7.4
- version/redmine/0.8.0
- version/redmine/0.8.0-rc1
- version/redmine/0.8.1
- version/redmine/0.8.2
- version/redmine/0.8.3
- version/redmine/0.8.4
- version/redmine/0.8.5
- version/redmine/0.8.6
- version/redmine/0.8.7
- version/redmine/0.9.0
- version/redmine/0.9.1
- version/redmine/0.9.2
- version/redmine/0.9.3
- version/redmine/0.9.4
- version/redmine/0.9.5
- version/redmine/0.9.6
- version/redmine/1.0.0
- version/redmine/1.0.1
- version/redmine/1.0.2
- version/redmine/1.0.3
- version/redmine/1.0.4
- version/redmine/1.0.5
- version/redmine/1.1.0
- version/redmine/1.1.1
- version/redmine/1.1.2
- version/redmine/1.1.3
- version/redmine/1.2.0
- version/redmine/1.2.1
- version/redmine/1.2.2
- version/redmine/1.2.3
- version/redmine/1.3.0