==================================================================== CERT-Renater Note d'Information No. 2021/VULN209 _____________________________________________________________________ DATE : 12/04/2021 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Redmine versions prior to 4.1.2, 4.0.8. ===================================================================== https://www.redmine.org/news/129 https://www.redmine.org/projects/redmine/wiki/Security_Advisories _____________________________________________________________________ Redmine 4.1.2 and 4.0.8 released These 2 maintenance releases are available for download, you can review the changes in the Changelog. Security: these 2 releases include several security fixes, including a fix for a permission bypass in Issues API and a fix for private project name that can be leaked in issue journal details, so upgrading as soon as possible is recommended. You can get more details in Security Advisories. Thanks to all the contributors who worked on these releases. _____________________________________________________________________ Severity Details External references Affected versions Fixed versions High Inline issue auto complete doesn't sanitize HTML tags (#33846) CVE-2021-29274 4.1.0 and 4.1.1 4.1.2 and 4.0.8 Moderate Names of private projects are leaked by issue journal details that contain project_id changes(#33360) All prior releases 4.1.2 and 4.0.8 High Issues API bypasses add_issue_notes permission (#33689) All prior releases 4.1.2 and 4.0.8 High Ruby on Rails vulnerabilities (rails 5.2.4.3, rails 5.2.4.5) CVE-2020-8162, CVE-2020-8164, CVE-2020-8165, CVE-2020-8166, CVE-2020-8167, CVE-2021-22880, CVE-2021-22881 All prior releases 4.1.2 and 4.0.8 ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================