Skip to main content

Redmine CVE-2019-18890

MEDIUM
SQL Injection (CWE-89)
2019-11-21 cve@mitre.org
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
CVE Published
Nov 21, 2019 - 18:15 nvd
MEDIUM 6.5

DescriptionNVD

A SQL injection vulnerability in Redmine through 3.2.9 and 3.3.x before 3.3.10 allows Redmine users to access protected information via a crafted object query.

AnalysisAI

A SQL injection vulnerability in Redmine through 3.2.9 and 3.3.x before 3.3.10 allows Redmine users to access protected information via a crafted object query. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as SQL Injection (CWE-89), which allows attackers to execute arbitrary SQL commands against the database. A SQL injection vulnerability in Redmine through 3.2.9 and 3.3.x before 3.3.10 allows Redmine users to access protected information via a crafted object query. Affected products include: Redmine, Debian Debian Linux. Version information: through 3.2.9.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Use parameterized queries/prepared statements. Never concatenate user input into SQL. Apply least-privilege database permissions.

CVE-2014-1985 MEDIUM POC
5.8 Apr 11

Open redirect vulnerability in the redirect_back_or_default function in app/controllers/application_controller.rb in Red

CVE-2021-29274 MEDIUM POC
6.1 Mar 29

Redmine 4.1.x before 4.1.2 allows XSS because an issue's subject is mishandled in the auto complete tip. Rated medium se

CVE-2021-30164 CRITICAL
9.8 Apr 06

Redmine before 4.0.8 and 4.1.x before 4.1.2 allows attackers to bypass the add_issue_notes permission requirement by lev

CVE-2017-15572 HIGH
7.5 Oct 18

In Redmine before 3.2.6 and 3.3.x before 3.3.3, remote attackers can obtain sensitive information (password reset tokens

CVE-2017-15577 HIGH
7.5 Oct 18

Redmine before 3.2.6 and 3.3.x before 3.3.3 mishandles the rendering of wiki links, which allows remote attackers to obt

CVE-2017-15576 HIGH
7.5 Oct 18

Redmine before 3.2.6 and 3.3.x before 3.3.3 mishandles Time Entry rendering in activity views, which allows remote attac

CVE-2022-44030 HIGH
7.5 Dec 06

Redmine 5.x before 5.0.4 allows downloading of file attachments of any Issue or any Wiki page due to insufficient permis

CVE-2021-37156 HIGH
7.5 Aug 05

Redmine 4.2.0 and 4.2.1 allow existing user sessions to continue upon enabling two-factor authentication for the user's

CVE-2021-31863 HIGH
7.5 Apr 28

Insufficient input validation in the Git repository integration of Redmine before 4.0.9, 4.1.x before 4.1.3, and 4.2.x b

CVE-2021-30163 HIGH
7.5 Apr 06

Redmine before 4.0.8 and 4.1.x before 4.1.2 allows attackers to discover the names of private projects if issue-journal

CVE-2015-8474 HIGH
7.4 Apr 12

Open redirect vulnerability in the valid_back_url function in app/controllers/application_controller.rb in Redmine befor

CVE-2017-15575 HIGH
7.3 Oct 18

In Redmine before 3.2.6 and 3.3.x before 3.3.3, Redmine.pm lacks a check for whether the Repository module is enabled in

Share

CVE-2019-18890 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy