CVE-2021-31866

medium

Description

Redmine before 4.0.9 and 4.1.x before 4.1.3 allows an attacker to learn the values of internal authentication keys by observing timing differences in string comparison operations within SysController and MailHandlerController.

References

https://www.redmine.org/projects/redmine/wiki/Security_Advisories

https://www.redmine.org/news/131

https://lists.debian.org/debian-lts-announce/2021/05/msg00013.html

Details

Source: Mitre, NVD

Published: 2021-04-28

Updated: 2021-06-01

Risk Information

CVSS v2

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Severity: Medium

CVSS v3

Base Score: 5.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N