CVE-2015-8346

NameCVE-2015-8346
Descriptionapp/views/timelog/_form.html.erb in Redmine before 2.6.8, 3.0.x before 3.0.6, and 3.1.x before 3.1.2 allows remote attackers to obtain sensitive information about subjects of issues by viewing the time logging form.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-351-1, DSA-3529-1
Debian Bugs806376

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
redmine (PTS)stretch (security), stretch (lts), stretch3.3.1-4+deb9u5fixed
bookworm (security), bookworm5.0.4-5+deb12u1fixed
sid5.1.3+ds-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
redminesourcesqueeze(unfixed)end-of-life
redminesourcewheezy(unfixed)end-of-life
redminesourcejessie3.0~20140825-8~deb8u2DSA-3529-1
redminesource(unstable)3.2.0-1806376

Notes

[wheezy] - redmine <end-of-life> (Redmine not supported because of rails)
[squeeze] - redmine <end-of-life> (Redmine not supported because of rails)
https://www.redmine.org/projects/redmine/wiki/Changelog_3_0
https://www.redmine.org/projects/redmine/wiki/Security_Advisories
https://www.redmine.org/issues/21150 (private)
https://www.openwall.com/lists/oss-security/2015/11/25/1
Commit: https://github.com/redmine/redmine/commit/945a091c94a9ed651f61e225fa8646479478e9d4
Commit: https://github.com/redmine/redmine/commit/c096dde88ff02872ba35edc4dc403c80a7867b5c
For squeeze, the bug is in app/views/timelog/edit.rhtml
upstream fixed in 2.6.8, 3.0.6 and 3.1.2

Search for package or bug name: Reporting problems