← Back

CVE-2021-31866

nvd nist

Published: Apr 28, 2021Modified: Nov 21, 2024

5.3

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Exploitability: 3.9 / Impact: 1.4

Source: NVD

Description

Redmine before 4.0.9 and 4.1.x before 4.1.3 allows an attacker to learn the values of internal authentication keys by observing timing differences in string comparison operations within SysController and MailHandlerController.

Affected (3)

Products: Redmine: Redmine · Debian: Debian Linux

1 product

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Redmine Redmine	Before 4.0.9
Redmine Redmine	From 4.1.0 to 4.1.3

Configuration B

1 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 9.0

Related CWEs

CWE-203

Observable Discrepancy

The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.

References (6)

https://lists.debian.org/debian-lts-announce/2021/05/msg00013.html

Source: cve@mitre.org

Mailing ListThird Party Advisory

https://www.redmine.org/news/131

Source: cve@mitre.org

Vendor Advisory

https://www.redmine.org/projects/redmine/wiki/Security_Advisories

Source: cve@mitre.org

Vendor Advisory

https://lists.debian.org/debian-lts-announce/2021/05/msg00013.html

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

https://www.redmine.org/news/131

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://www.redmine.org/projects/redmine/wiki/Security_Advisories

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.