Skip to main content

Redmine CVE-2022-44030

HIGH
Improper Handling of Exceptional Conditions (CWE-755)
2022-12-06 cve@mitre.org
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
CVE Published
Dec 06, 2022 - 23:15 nvd
HIGH 7.5

DescriptionNVD

Redmine 5.x before 5.0.4 allows downloading of file attachments of any Issue or any Wiki page due to insufficient permission checks. Depending on the configuration, this may require login as a registered user.

AnalysisAI

Redmine 5.x before 5.0.4 allows downloading of file attachments of any Issue or any Wiki page due to insufficient permission checks. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Technical ContextAI

This vulnerability is classified under CWE-755. Redmine 5.x before 5.0.4 allows downloading of file attachments of any Issue or any Wiki page due to insufficient permission checks. Depending on the configuration, this may require login as a registered user. Affected products include: Redmine. Version information: before 5.0.4.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

CVE-2014-1985 MEDIUM POC
5.8 Apr 11

Open redirect vulnerability in the redirect_back_or_default function in app/controllers/application_controller.rb in Red

CVE-2021-29274 MEDIUM POC
6.1 Mar 29

Redmine 4.1.x before 4.1.2 allows XSS because an issue's subject is mishandled in the auto complete tip. Rated medium se

CVE-2021-30164 CRITICAL
9.8 Apr 06

Redmine before 4.0.8 and 4.1.x before 4.1.2 allows attackers to bypass the add_issue_notes permission requirement by lev

CVE-2017-15572 HIGH
7.5 Oct 18

In Redmine before 3.2.6 and 3.3.x before 3.3.3, remote attackers can obtain sensitive information (password reset tokens

CVE-2017-15577 HIGH
7.5 Oct 18

Redmine before 3.2.6 and 3.3.x before 3.3.3 mishandles the rendering of wiki links, which allows remote attackers to obt

CVE-2017-15576 HIGH
7.5 Oct 18

Redmine before 3.2.6 and 3.3.x before 3.3.3 mishandles Time Entry rendering in activity views, which allows remote attac

CVE-2021-37156 HIGH
7.5 Aug 05

Redmine 4.2.0 and 4.2.1 allow existing user sessions to continue upon enabling two-factor authentication for the user's

CVE-2021-31863 HIGH
7.5 Apr 28

Insufficient input validation in the Git repository integration of Redmine before 4.0.9, 4.1.x before 4.1.3, and 4.2.x b

CVE-2021-30163 HIGH
7.5 Apr 06

Redmine before 4.0.8 and 4.1.x before 4.1.2 allows attackers to discover the names of private projects if issue-journal

CVE-2015-8474 HIGH
7.4 Apr 12

Open redirect vulnerability in the valid_back_url function in app/controllers/application_controller.rb in Redmine befor

CVE-2017-15575 HIGH
7.3 Oct 18

In Redmine before 3.2.6 and 3.3.x before 3.3.3, Redmine.pm lacks a check for whether the Repository module is enabled in

CVE-2019-18890 MEDIUM
6.5 Nov 21

A SQL injection vulnerability in Redmine through 3.2.9 and 3.3.x before 3.3.10 allows Redmine users to access protected

Share

CVE-2022-44030 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy