CVE-2021-31866 · VulnScope

Description

Redmine before 4.0.9 and 4.1.x before 4.1.3 allows an attacker to learn the values of internal authentication keys by observing timing differences in string comparison operations within SysController and MailHandlerController.

How to fix CVE-2021-31866

To remediate CVE-2021-31866, upgrade the affected package to a fixed version below.

Bitnami/redmine—upgrade to 4.0.9 or later
Debian/redmine—upgrade to 5.0.0-1 or later

Is CVE-2021-31866 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 4.0.9, >= 4.1.0, < 4.1.3
from 0, < 5.0.0-1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References (5)

ADVISORYsecurity-tracker.debian.org/tracker/CVE-2021-31866
WEBlists.debian.org/debian-lts-announce/2021/05/msg00013.html
WEBnvd.nist.gov/vuln/detail/CVE-2021-31866
WEBwww.redmine.org/news/131
WEB