CVE-2015-8473

medium

Description

The Issues API in Redmine before 2.6.8, 3.0.x before 3.0.6, and 3.1.x before 3.1.2 allows remote authenticated users to obtain sensitive information in changeset messages by leveraging permission to read issues with related changesets from other projects.

References

http://www.debian.org/security/2016/dsa-3529

http://www.securityfocus.com/bid/78621

https://github.com/redmine/redmine/commit/8d8f612fa368a72c56b63f7ce6b7e98cab9feb22

https://www.redmine.org/issues/21136

https://www.redmine.org/projects/redmine/wiki/Changelog_3_0

https://www.redmine.org/projects/redmine/wiki/Changelog_3_1

https://www.redmine.org/versions/105

Details

Source: MITRE

Published: 2016-04-12

Updated: 2016-04-20

Type: CWE-200

Risk Information

CVSS v2

Base Score: 4

Vector: AV:N/AC:L/Au:S/C:P/I:N/A:N

Impact Score: 2.9

Exploitability Score: 8

Severity: MEDIUM

CVSS v3

Base Score: 4.3

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Impact Score: 1.4

Exploitability Score: 2.8

Severity: MEDIUM