CVE-2015-8473: Infoleak
First published: Tue Apr 12 2016(Updated: )
The Issues API in Redmine before 2.6.8, 3.0.x before 3.0.6, and 3.1.x before 3.1.2 allows remote authenticated users to obtain sensitive information in changeset messages by leveraging permission to read issues with related changesets from other projects.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Debian | =8.0 | |
| Redmine | <=2.6.7 | |
| Redmine | =3.0.0 | |
| Redmine | =3.0.1 | |
| Redmine | =3.0.2 | |
| Redmine | =3.0.3 | |
| Redmine | =3.0.4 | |
| Redmine | =3.0.5 | |
| Redmine | =3.1.0 | |
| Redmine | =3.1.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.debian.org/security/2016/dsa-3529
- http://www.securityfocus.com/bid/78621
- https://github.com/redmine/redmine/commit/8d8f612fa368a72c56b63f7ce6b7e98cab9feb22
- https://www.redmine.org/issues/21136
- https://www.redmine.org/projects/redmine/wiki/Changelog_3_0
- https://www.redmine.org/projects/redmine/wiki/Changelog_3_1
- https://www.redmine.org/versions/105
Frequently Asked Questions
What is the severity of CVE-2015-8473?
CVE-2015-8473 is considered to be a medium severity vulnerability.
How do I fix CVE-2015-8473?
To fix CVE-2015-8473, upgrade Redmine to version 2.6.8 or 3.0.6 or later.
What does CVE-2015-8473 affect?
CVE-2015-8473 affects Redmine versions prior to 2.6.8, 3.0.x before 3.0.6, and 3.1.x before 3.1.2.
Can CVE-2015-8473 be exploited by unauthenticated users?
No, CVE-2015-8473 can only be exploited by remote authenticated users.
What information can be exposed due to CVE-2015-8473?
CVE-2015-8473 allows remote authenticated users to obtain sensitive information in changeset messages.
- agent/type
- agent/remedy
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/severity
- agent/author
- agent/last-modified-date
- agent/references
- agent/first-publish-date
- agent/description
- agent/event
- agent/source
- agent/tags
- agent/softwarecombine
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/debian
- canonical/debian
- version/debian/8.0
- vendor/redmine
- canonical/redmine
- version/redmine/2.6.7
- version/redmine/3.0.0
- version/redmine/3.0.1
- version/redmine/3.0.2
- version/redmine/3.0.3
- version/redmine/3.0.4
- version/redmine/3.0.5
- version/redmine/3.1.0
- version/redmine/3.1.1