CVE-2022-44030

NameCVE-2022-44030
DescriptionRedmine 5.x before 5.0.4 allows downloading of file attachments of any Issue or any Wiki page due to insufficient permission checks. Depending on the configuration, this may require login as a registered user.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1026048

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
redmine (PTS)stretch (security), stretch (lts), stretch3.3.1-4+deb9u5vulnerable
bookworm (security), bookworm5.0.4-5+deb12u1fixed
sid5.1.3+ds-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
redminesourcestretch(unfixed)end-of-life
redminesource(unstable)5.0.4-11026048

Notes

https://www.redmine.org/projects/redmine/wiki/Security_Advisories
https://github.com/redmine/redmine/commit/c02e3bfaec5fb45bd02d840b2306a875cc4f7f88
https://github.com/redmine/redmine/commit/eea816ae0825a3d794e650d11a3909ace772152b
https://github.com/redmine/redmine/commit/df615b7047e58a5dfb236d3b011dfe1619559acc
https://github.com/redmine/redmine/commit/072faff556c5f3ab1f65cad4d2753600cf4ee909
https://github.com/redmine/redmine/commit/9435929e349f0af9ba1d059e41d80c65be50e833

Search for package or bug name: Reporting problems