VulnerableCode Package Details - pkg:alpm/archlinux/redmine@4.2.1-1

Search for packages

Vulnerability	Summary	Fixed by
VCID-gjey-bqtd-kqa1 Aliases: CVE-2021-22885 GHSA-hjg4-8q5f-x6fm	Action Pack contains Information Disclosure / Unintended Method Execution vulnerability Impact ------ There is a possible information disclosure / unintended method execution vulnerability in Action Pack when using the `redirect_to` or `polymorphic_url` helper with untrusted user input. Vulnerable code will look like this. ``` redirect_to(params[:some_param]) ``` All users running an affected release should either upgrade or use one of the workarounds immediately. Releases -------- The FIXED releases are available at the normal locations. Workarounds ----------- To work around this problem, it is recommended to use an allow list for valid parameters passed from the user. For example, ```ruby private def check(param) case param when "valid" param else "/" end end def index redirect_to(check(params[:some_param])) end ``` Or force the user input to be cast to a string like this, ```ruby def index redirect_to(params[:some_param].to_s) end ``` Patches ------- To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset. * 5-2-information-disclosure.patch - Patch for 5.2 series * 6-0-information-disclosure.patch - Patch for 6.0 series * 6-1-information-disclosure.patch - Patch for 6.1 series Please note that only the 5.2, 6.0, and 6.1 series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases. Credits ------- Thanks to Benoit Côté-Jodoin from Shopify for reporting this.	4.2.2-1 Affected by 0 other vulnerabilities.
VCID-pwfc-n1q7-b7e4 Aliases: CVE-2021-37156	Redmine 4.2.0 and 4.2.1 allow existing user sessions to continue upon enabling two-factor authentication for the user's account, but the intended behavior is for those sessions to be terminated.	4.2.2-1 Affected by 0 other vulnerabilities.
VCID-wg3a-j2dp-ayh4 Aliases: CVE-2021-22904 GHSA-7wjx-3g7j-8584	Possible DoS Vulnerability in Action Controller Token Authentication There is a possible DoS vulnerability in the Token Authentication logic in Action Controller. Versions Affected: >= 4.0.0 Not affected: < 4.0.0 Fixed Versions: 6.1.3.2, 6.0.3.7, 5.2.4.6, 5.2.6 Impact ------ Impacted code uses `authenticate_or_request_with_http_token` or `authenticate_with_http_token` for request authentication. Impacted code will look something like this: ``` class PostsController < ApplicationController before_action :authenticate private def authenticate authenticate_or_request_with_http_token do \|token, options\| # ... end end end ``` All users running an affected release should either upgrade or use one of the workarounds immediately. Releases -------- The fixed releases are available at the normal locations. Workarounds ----------- The following monkey patch placed in an initializer can be used to work around the issue: ```ruby module ActionController::HttpAuthentication::Token AUTHN_PAIR_DELIMITERS = /(?:,\|;\|\t)/ end ``` Patches ------- To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset. * 5-2-http-authentication-dos.patch - Patch for 5.2 series * 6-0-http-authentication-dos.patch - Patch for 6.0 series * 6-1-http-authentication-dos.patch - Patch for 6.1 series Please note that only the 6.1.Z, 6.0.Z, and 5.2.Z series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases. Credits ------- Thank you to https://hackerone.com/wonda_tea_coffee for reporting this issue!	4.2.2-1 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-gjey-bqtd-kqa1
Aliases:
CVE-2021-22885
GHSA-hjg4-8q5f-x6fm

Action Pack contains Information Disclosure / Unintended Method Execution vulnerability Impact ------ There is a possible information disclosure / unintended method execution vulnerability in Action Pack when using the `redirect_to` or `polymorphic_url` helper with untrusted user input. Vulnerable code will look like this. ``` redirect_to(params[:some_param]) ``` All users running an affected release should either upgrade or use one of the workarounds immediately. Releases -------- The FIXED releases are available at the normal locations. Workarounds ----------- To work around this problem, it is recommended to use an allow list for valid parameters passed from the user. For example, ```ruby private def check(param) case param when "valid" param else "/" end end def index redirect_to(check(params[:some_param])) end ``` Or force the user input to be cast to a string like this, ```ruby def index redirect_to(params[:some_param].to_s) end ``` Patches ------- To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset. * 5-2-information-disclosure.patch - Patch for 5.2 series * 6-0-information-disclosure.patch - Patch for 6.0 series * 6-1-information-disclosure.patch - Patch for 6.1 series Please note that only the 5.2, 6.0, and 6.1 series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases. Credits ------- Thanks to Benoit Côté-Jodoin from Shopify for reporting this.

4.2.2-1
Affected by 0 other vulnerabilities.

VCID-pwfc-n1q7-b7e4
Aliases:
CVE-2021-37156

Redmine 4.2.0 and 4.2.1 allow existing user sessions to continue upon enabling two-factor authentication for the user's account, but the intended behavior is for those sessions to be terminated.

4.2.2-1
Affected by 0 other vulnerabilities.

VCID-wg3a-j2dp-ayh4
Aliases:
CVE-2021-22904
GHSA-7wjx-3g7j-8584

Possible DoS Vulnerability in Action Controller Token Authentication There is a possible DoS vulnerability in the Token Authentication logic in Action Controller. Versions Affected: >= 4.0.0 Not affected: < 4.0.0 Fixed Versions: 6.1.3.2, 6.0.3.7, 5.2.4.6, 5.2.6 Impact ------ Impacted code uses `authenticate_or_request_with_http_token` or `authenticate_with_http_token` for request authentication. Impacted code will look something like this: ``` class PostsController < ApplicationController before_action :authenticate private def authenticate authenticate_or_request_with_http_token do |token, options| # ... end end end ``` All users running an affected release should either upgrade or use one of the workarounds immediately. Releases -------- The fixed releases are available at the normal locations. Workarounds ----------- The following monkey patch placed in an initializer can be used to work around the issue: ```ruby module ActionController::HttpAuthentication::Token AUTHN_PAIR_DELIMITERS = /(?:,|;|\t)/ end ``` Patches ------- To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset. * 5-2-http-authentication-dos.patch - Patch for 5.2 series * 6-0-http-authentication-dos.patch - Patch for 6.0 series * 6-1-http-authentication-dos.patch - Patch for 6.1 series Please note that only the 6.1.Z, 6.0.Z, and 5.2.Z series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases. Credits ------- Thank you to https://hackerone.com/wonda_tea_coffee for reporting this issue!

4.2.2-1
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-1fe1-sdn1-jfcw	Redmine before 4.0.9, 4.1.x before 4.1.3, and 4.2.x before 4.2.1 allows attackers to bypass the add_issue_notes permission requirement by leveraging the incoming mail handler.	CVE-2021-31864
VCID-7nsr-5xpe-vke4	Redmine before 4.0.9 and 4.1.x before 4.1.3 allows an attacker to learn the values of internal authentication keys by observing timing differences in string comparison operations within SysController and MailHandlerController.	CVE-2021-31866
VCID-8cvp-423x-qfga	Redmine before 4.0.8 and 4.1.x before 4.1.2 allows attackers to bypass the add_issue_notes permission requirement by leveraging the Issues API.	CVE-2021-30164
VCID-a2t5-u2dx-5fc2	Redmine before 4.0.9, 4.1.x before 4.1.3, and 4.2.x before 4.2.1 allows users to circumvent the allowed filename extensions of uploaded attachments.	CVE-2021-31865
VCID-r8j4-1ux4-6ycy	Insufficient input validation in the Git repository integration of Redmine before 4.0.9, 4.1.x before 4.1.3, and 4.2.x before 4.2.1 allows Redmine users to read arbitrary local files accessible by the application server process.	CVE-2021-31863
VCID-yjxe-atwc-6yec	Redmine 4.1.x before 4.1.2 allows XSS because an issue's subject is mishandled in the auto complete tip.	CVE-2021-29274
VCID-zbef-znuk-eqhr	Redmine before 4.0.8 and 4.1.x before 4.1.2 allows attackers to discover the names of private projects if issue-journal details exist that have changes to project_id values.	CVE-2021-30163

Vulnerability

Summary

Aliases

VCID-1fe1-sdn1-jfcw

Redmine before 4.0.9, 4.1.x before 4.1.3, and 4.2.x before 4.2.1 allows attackers to bypass the add_issue_notes permission requirement by leveraging the incoming mail handler.

CVE-2021-31864

VCID-7nsr-5xpe-vke4

Redmine before 4.0.9 and 4.1.x before 4.1.3 allows an attacker to learn the values of internal authentication keys by observing timing differences in string comparison operations within SysController and MailHandlerController.

CVE-2021-31866

VCID-8cvp-423x-qfga

Redmine before 4.0.8 and 4.1.x before 4.1.2 allows attackers to bypass the add_issue_notes permission requirement by leveraging the Issues API.

CVE-2021-30164

VCID-a2t5-u2dx-5fc2

Redmine before 4.0.9, 4.1.x before 4.1.3, and 4.2.x before 4.2.1 allows users to circumvent the allowed filename extensions of uploaded attachments.

CVE-2021-31865

VCID-r8j4-1ux4-6ycy

Insufficient input validation in the Git repository integration of Redmine before 4.0.9, 4.1.x before 4.1.3, and 4.2.x before 4.2.1 allows Redmine users to read arbitrary local files accessible by the application server process.

CVE-2021-31863

VCID-yjxe-atwc-6yec

Redmine 4.1.x before 4.1.2 allows XSS because an issue's subject is mishandled in the auto complete tip.

CVE-2021-29274

VCID-zbef-znuk-eqhr

Redmine before 4.0.8 and 4.1.x before 4.1.2 allows attackers to discover the names of private projects if issue-journal details exist that have changes to project_id values.

CVE-2021-30163

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-01T18:26:37.266249+00:00	Arch Linux Importer	Affected by	VCID-gjey-bqtd-kqa1	https://security.archlinux.org/AVG-1920	38.0.0
2026-04-01T18:26:37.240047+00:00	Arch Linux Importer	Affected by	VCID-wg3a-j2dp-ayh4	https://security.archlinux.org/AVG-1920	38.0.0
2026-04-01T18:26:37.210589+00:00	Arch Linux Importer	Affected by	VCID-pwfc-n1q7-b7e4	https://security.archlinux.org/AVG-1920	38.0.0
2026-04-01T18:24:16.975152+00:00	Arch Linux Importer	Fixing	VCID-yjxe-atwc-6yec	https://security.archlinux.org/AVG-1743	38.0.0
2026-04-01T18:24:16.952895+00:00	Arch Linux Importer	Fixing	VCID-zbef-znuk-eqhr	https://security.archlinux.org/AVG-1743	38.0.0
2026-04-01T18:24:16.927607+00:00	Arch Linux Importer	Fixing	VCID-8cvp-423x-qfga	https://security.archlinux.org/AVG-1743	38.0.0
2026-04-01T18:24:16.903399+00:00	Arch Linux Importer	Fixing	VCID-r8j4-1ux4-6ycy	https://security.archlinux.org/AVG-1743	38.0.0
2026-04-01T18:24:16.877706+00:00	Arch Linux Importer	Fixing	VCID-1fe1-sdn1-jfcw	https://security.archlinux.org/AVG-1743	38.0.0
2026-04-01T18:24:16.853554+00:00	Arch Linux Importer	Fixing	VCID-a2t5-u2dx-5fc2	https://security.archlinux.org/AVG-1743	38.0.0
2026-04-01T18:24:16.830406+00:00	Arch Linux Importer	Fixing	VCID-7nsr-5xpe-vke4	https://security.archlinux.org/AVG-1743	38.0.0