{"url":"http://public2.vulnerablecode.io/api/packages/371193?format=json","purl":"pkg:alpm/archlinux/redmine@4.2.1-1","type":"alpm","namespace":"archlinux","name":"redmine","version":"4.2.1-1","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"4.2.2-1","latest_non_vulnerable_version":"4.2.3-1","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/47751?format=json","vulnerability_id":"VCID-gjey-bqtd-kqa1","summary":"Action Pack contains Information Disclosure / Unintended Method Execution vulnerability\nImpact\n------\nThere is a possible information disclosure / unintended method execution vulnerability in Action Pack when using the `redirect_to` or `polymorphic_url` helper with untrusted user input.\n\nVulnerable code will look like this.\n\n```\nredirect_to(params[:some_param])\n```\n\nAll users running an affected release should either upgrade or use one of the workarounds immediately.\n\nReleases\n--------\nThe FIXED releases are available at the normal locations.\n\nWorkarounds\n-----------\nTo work around this problem, it is recommended to use an allow list for valid parameters passed from the user.  For example,\n\n```ruby\nprivate def check(param)\n  case param\n  when \"valid\"\n    param\n  else\n    \"/\"\n  end\nend\n\ndef index\n  redirect_to(check(params[:some_param]))\nend\n```\n\nOr force the user input to be cast to a string like this,\n\n```ruby\ndef index\n  redirect_to(params[:some_param].to_s)\nend\n```\n\nPatches\n-------\nTo aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.\n\n* 5-2-information-disclosure.patch - Patch for 5.2 series\n* 6-0-information-disclosure.patch - Patch for 6.0 series\n* 6-1-information-disclosure.patch - Patch for 6.1 series\n\nPlease note that only the 5.2, 6.0, and 6.1 series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.\n\nCredits\n-------\n\nThanks to Benoit Côté-Jodoin from Shopify for reporting this.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22885.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22885.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-22885","reference_id":"","reference_type":"","scores":[{"value":"0.01264","scoring_system":"epss","scoring_elements":"0.79641","published_at":"2026-05-16T12:55:00Z"},{"value":"0.01264","scoring_system":"epss","scoring_elements":"0.79636","published_at":"2026-05-15T12:55:00Z"},{"value":"0.01264","scoring_system":"epss","scoring_elements":"0.79631","published_at":"2026-05-14T12:55:00Z"},{"value":"0.01264","scoring_system":"epss","scoring_elements":"0.79594","published_at":"2026-05-12T12:55:00Z"},{"value":"0.01264","scoring_system":"epss","scoring_elements":"0.79582","published_at":"2026-05-11T12:55:00Z"},{"value":"0.03096","scoring_system":"epss","scoring_elements":"0.86898","published_at":"2026-05-09T12:55:00Z"},{"value":"0.03096","scoring_system":"epss","scoring_elements":"0.86736","published_at":"2026-04-01T12:55:00Z"},{"value":"0.03096","scoring_system":"epss","scoring_elements":"0.86746","published_at":"2026-04-02T12:55:00Z"},{"value":"0.03096","scoring_system":"epss","scoring_elements":"0.86765","published_at":"2026-04-04T12:55:00Z"},{"value":"0.03096","scoring_system":"epss","scoring_elements":"0.86763","published_at":"2026-04-07T12:55:00Z"},{"value":"0.03096","scoring_system":"epss","scoring_elements":"0.86783","published_at":"2026-04-08T12:55:00Z"},{"value":"0.03096","scoring_system":"epss","scoring_elements":"0.86791","published_at":"2026-04-09T12:55:00Z"},{"value":"0.03096","scoring_system":"epss","scoring_elements":"0.86805","published_at":"2026-04-11T12:55:00Z"},{"value":"0.03096","scoring_system":"epss","scoring_elements":"0.86802","published_at":"2026-04-12T12:55:00Z"},{"value":"0.03096","scoring_system":"epss","scoring_elements":"0.86797","published_at":"2026-04-13T12:55:00Z"},{"value":"0.03096","scoring_system":"epss","scoring_elements":"0.86812","published_at":"2026-04-16T12:55:00Z"},{"value":"0.03096","scoring_system":"epss","scoring_elements":"0.86817","published_at":"2026-04-18T12:55:00Z"},{"value":"0.03096","scoring_system":"epss","scoring_elements":"0.86815","published_at":"2026-04-21T12:55:00Z"},{"value":"0.03096","scoring_system":"epss","scoring_elements":"0.86831","published_at":"2026-04-24T12:55:00Z"},{"value":"0.03096","scoring_system":"epss","scoring_elements":"0.86838","published_at":"2026-04-26T12:55:00Z"},{"value":"0.03096","scoring_system":"epss","scoring_elements":"0.86837","published_at":"2026-04-29T12:55:00Z"},{"value":"0.03096","scoring_system":"epss","scoring_elements":"0.86861","published_at":"2026-05-05T12:55:00Z"},{"value":"0.03096","scoring_system":"epss","scoring_elements":"0.8688","published_at":"2026-05-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-22885"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22880","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22880"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22885","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22885"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22904","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22904"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22885.yml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22885.yml"},{"reference_url":"https://groups.google.com/g/rubyonrails-security/c/NiQl-48cXYI","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":""},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://groups.google.com/g/rubyonrails-security/c/NiQl-48cXYI"},{"reference_url":"https://hackerone.com/reports/1106652","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://hackerone.com/reports/1106652"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-22885","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-22885"},{"reference_url":"https://security.netapp.com/advisory/ntap-20210805-0009","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20210805-0009"},{"reference_url":"https://security.netapp.com/advisory/ntap-20210805-0009/","reference_id":"","reference_type":"","scores":[],"url":"https://security.netapp.com/advisory/ntap-20210805-0009/"},{"reference_url":"https://www.debian.org/security/2021/dsa-4929","reference_id":"","reference_type":"","scores":[],"url":"https://www.debian.org/security/2021/dsa-4929"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1957441","reference_id":"1957441","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1957441"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988214","reference_id":"988214","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988214"},{"reference_url":"https://security.archlinux.org/AVG-1920","reference_id":"AVG-1920","reference_type":"","scores":[{"value":"Medium","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-1920"},{"reference_url":"https://security.archlinux.org/AVG-1921","reference_id":"AVG-1921","reference_type":"","scores":[{"value":"Medium","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-1921"},{"reference_url":"https://security.archlinux.org/AVG-2090","reference_id":"AVG-2090","reference_type":"","scores":[{"value":"Medium","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2090"},{"reference_url":"https://security.archlinux.org/AVG-2223","reference_id":"AVG-2223","reference_type":"","scores":[{"value":"Medium","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2223"},{"reference_url":"https://github.com/advisories/GHSA-hjg4-8q5f-x6fm","reference_id":"GHSA-hjg4-8q5f-x6fm","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-hjg4-8q5f-x6fm"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4702","reference_id":"RHSA-2021:4702","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4702"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373543?format=json","purl":"pkg:alpm/archlinux/redmine@4.2.2-1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/redmine@4.2.2-1"}],"aliases":["CVE-2021-22885","GHSA-hjg4-8q5f-x6fm"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-gjey-bqtd-kqa1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/254440?format=json","vulnerability_id":"VCID-pwfc-n1q7-b7e4","summary":"Redmine 4.2.0 and 4.2.1 allow existing user sessions to continue upon enabling two-factor authentication for the user's account, but the intended behavior is for those sessions to be terminated.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-37156","reference_id":"","reference_type":"","scores":[{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.48086","published_at":"2026-05-16T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.47989","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.48027","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.48048","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.47998","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.48051","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.48044","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.48069","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.48045","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.48057","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.48109","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.48104","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.4806","published_at":"2026-05-14T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.48041","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.48053","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.48001","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.47919","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.47986","published_at":"2026-05-07T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.48011","published_at":"2026-05-09T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.47956","published_at":"2026-05-11T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.47985","published_at":"2026-05-12T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.48079","published_at":"2026-05-15T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-37156"},{"reference_url":"https://security.archlinux.org/AVG-1920","reference_id":"AVG-1920","reference_type":"","scores":[{"value":"Medium","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-1920"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373543?format=json","purl":"pkg:alpm/archlinux/redmine@4.2.2-1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/redmine@4.2.2-1"}],"aliases":["CVE-2021-37156"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-pwfc-n1q7-b7e4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/47410?format=json","vulnerability_id":"VCID-wg3a-j2dp-ayh4","summary":"Possible DoS Vulnerability in Action Controller Token Authentication\nThere is a possible DoS vulnerability in the Token Authentication logic in Action Controller.\n\nVersions Affected:  >= 4.0.0\nNot affected:       < 4.0.0\nFixed Versions:     6.1.3.2, 6.0.3.7, 5.2.4.6, 5.2.6\n\nImpact\n------\nImpacted code uses `authenticate_or_request_with_http_token` or `authenticate_with_http_token` for request authentication.  Impacted code will look something like this:\n\n```\nclass PostsController < ApplicationController\n  before_action :authenticate\n\n  private\n\n  def authenticate\n    authenticate_or_request_with_http_token do |token, options|\n      # ...\n    end\n  end\nend\n```\n\nAll users running an affected release should either upgrade or use one of the workarounds immediately.\n\nReleases\n--------\nThe fixed releases are available at the normal locations.\n\nWorkarounds\n-----------\nThe following monkey patch placed in an initializer can be used to work around the issue:\n\n```ruby\nmodule ActionController::HttpAuthentication::Token\n  AUTHN_PAIR_DELIMITERS = /(?:,|;|\\t)/\nend\n```\n\nPatches\n-------\nTo aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.\n\n* 5-2-http-authentication-dos.patch - Patch for 5.2 series\n* 6-0-http-authentication-dos.patch - Patch for 6.0 series\n* 6-1-http-authentication-dos.patch - Patch for 6.1 series\n\nPlease note that only the 6.1.Z, 6.0.Z, and 5.2.Z series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.\n\nCredits\n-------\nThank you to https://hackerone.com/wonda_tea_coffee for reporting this issue!","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22904.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22904.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-22904","reference_id":"","reference_type":"","scores":[{"value":"0.07856","scoring_system":"epss","scoring_elements":"0.91974","published_at":"2026-04-02T12:55:00Z"},{"value":"0.07856","scoring_system":"epss","scoring_elements":"0.92075","published_at":"2026-05-16T12:55:00Z"},{"value":"0.07856","scoring_system":"epss","scoring_elements":"0.92082","published_at":"2026-05-15T12:55:00Z"},{"value":"0.07856","scoring_system":"epss","scoring_elements":"0.92074","published_at":"2026-05-14T12:55:00Z"},{"value":"0.07856","scoring_system":"epss","scoring_elements":"0.92056","published_at":"2026-05-12T12:55:00Z"},{"value":"0.07856","scoring_system":"epss","scoring_elements":"0.9205","published_at":"2026-05-11T12:55:00Z"},{"value":"0.07856","scoring_system":"epss","scoring_elements":"0.92049","published_at":"2026-05-09T12:55:00Z"},{"value":"0.07856","scoring_system":"epss","scoring_elements":"0.92004","published_at":"2026-04-13T12:55:00Z"},{"value":"0.07856","scoring_system":"epss","scoring_elements":"0.92007","published_at":"2026-04-12T12:55:00Z"},{"value":"0.07856","scoring_system":"epss","scoring_elements":"0.91966","published_at":"2026-04-01T12:55:00Z"},{"value":"0.07856","scoring_system":"epss","scoring_elements":"0.91981","published_at":"2026-04-04T12:55:00Z"},{"value":"0.07856","scoring_system":"epss","scoring_elements":"0.91987","published_at":"2026-04-07T12:55:00Z"},{"value":"0.07856","scoring_system":"epss","scoring_elements":"0.92","published_at":"2026-04-08T12:55:00Z"},{"value":"0.07856","scoring_system":"epss","scoring_elements":"0.9204","published_at":"2026-05-07T12:55:00Z"},{"value":"0.07856","scoring_system":"epss","scoring_elements":"0.92027","published_at":"2026-05-05T12:55:00Z"},{"value":"0.07856","scoring_system":"epss","scoring_elements":"0.92014","published_at":"2026-04-29T12:55:00Z"},{"value":"0.07856","scoring_system":"epss","scoring_elements":"0.92018","published_at":"2026-04-26T12:55:00Z"},{"value":"0.07856","scoring_system":"epss","scoring_elements":"0.9202","published_at":"2026-04-24T12:55:00Z"},{"value":"0.07856","scoring_system":"epss","scoring_elements":"0.92015","published_at":"2026-04-21T12:55:00Z"},{"value":"0.07856","scoring_system":"epss","scoring_elements":"0.92019","published_at":"2026-04-18T12:55:00Z"},{"value":"0.07856","scoring_system":"epss","scoring_elements":"0.92022","published_at":"2026-04-16T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-22904"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22880","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22880"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22885","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22885"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22904","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22904"},{"reference_url":"https://discuss.rubyonrails.org/t/cve-2021-22904-possible-dos-vulnerability-in-action-controller-token-authentication/77869","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://discuss.rubyonrails.org/t/cve-2021-22904-possible-dos-vulnerability-in-action-controller-token-authentication/77869"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/rails/rails","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails"},{"reference_url":"https://github.com/rails/rails/releases/tag/v5.2.4.6","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/releases/tag/v5.2.4.6"},{"reference_url":"https://github.com/rails/rails/releases/tag/v5.2.6","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/releases/tag/v5.2.6"},{"reference_url":"https://github.com/rails/rails/releases/tag/v6.0.3.7","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/releases/tag/v6.0.3.7"},{"reference_url":"https://github.com/rails/rails/releases/tag/v6.1.3.2","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/releases/tag/v6.1.3.2"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22904.yml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22904.yml"},{"reference_url":"https://groups.google.com/g/rubyonrails-security/c/Pf1TjkOBdyQ","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":""},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://groups.google.com/g/rubyonrails-security/c/Pf1TjkOBdyQ"},{"reference_url":"https://hackerone.com/reports/1101125","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://hackerone.com/reports/1101125"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-22904","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-22904"},{"reference_url":"https://security.netapp.com/advisory/ntap-20210805-0009","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20210805-0009"},{"reference_url":"https://security.netapp.com/advisory/ntap-20210805-0009/","reference_id":"","reference_type":"","scores":[],"url":"https://security.netapp.com/advisory/ntap-20210805-0009/"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1961379","reference_id":"1961379","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1961379"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988214","reference_id":"988214","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988214"},{"reference_url":"https://security.archlinux.org/AVG-1920","reference_id":"AVG-1920","reference_type":"","scores":[{"value":"Medium","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-1920"},{"reference_url":"https://security.archlinux.org/AVG-1921","reference_id":"AVG-1921","reference_type":"","scores":[{"value":"Medium","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-1921"},{"reference_url":"https://security.archlinux.org/AVG-2090","reference_id":"AVG-2090","reference_type":"","scores":[{"value":"Medium","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2090"},{"reference_url":"https://security.archlinux.org/AVG-2223","reference_id":"AVG-2223","reference_type":"","scores":[{"value":"Medium","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2223"},{"reference_url":"https://github.com/advisories/GHSA-7wjx-3g7j-8584","reference_id":"GHSA-7wjx-3g7j-8584","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-7wjx-3g7j-8584"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4702","reference_id":"RHSA-2021:4702","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4702"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373543?format=json","purl":"pkg:alpm/archlinux/redmine@4.2.2-1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/redmine@4.2.2-1"}],"aliases":["CVE-2021-22904","GHSA-7wjx-3g7j-8584"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-wg3a-j2dp-ayh4"}],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/250264?format=json","vulnerability_id":"VCID-1fe1-sdn1-jfcw","summary":"Redmine before 4.0.9, 4.1.x before 4.1.3, and 4.2.x before 4.2.1 allows attackers to bypass the add_issue_notes permission requirement by leveraging the incoming mail handler.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-31864","reference_id":"","reference_type":"","scores":[{"value":"0.00217","scoring_system":"epss","scoring_elements":"0.4415","published_at":"2026-05-16T12:55:00Z"},{"value":"0.00217","scoring_system":"epss","scoring_elements":"0.44212","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00217","scoring_system":"epss","scoring_elements":"0.4428","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00217","scoring_system":"epss","scoring_elements":"0.44302","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00217","scoring_system":"epss","scoring_elements":"0.44235","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00217","scoring_system":"epss","scoring_elements":"0.44288","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00217","scoring_system":"epss","scoring_elements":"0.44292","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00217","scoring_system":"epss","scoring_elements":"0.4431","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00217","scoring_system":"epss","scoring_elements":"0.44278","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00217","scoring_system":"epss","scoring_elements":"0.44277","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00217","scoring_system":"epss","scoring_elements":"0.44335","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00217","scoring_system":"epss","scoring_elements":"0.44326","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00217","scoring_system":"epss","scoring_elements":"0.44255","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00217","scoring_system":"epss","scoring_elements":"0.44176","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00217","scoring_system":"epss","scoring_elements":"0.44179","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00217","scoring_system":"epss","scoring_elements":"0.44096","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00217","scoring_system":"epss","scoring_elements":"0.43974","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00217","scoring_system":"epss","scoring_elements":"0.44051","published_at":"2026-05-07T12:55:00Z"},{"value":"0.00217","scoring_system":"epss","scoring_elements":"0.44067","published_at":"2026-05-09T12:55:00Z"},{"value":"0.00217","scoring_system":"epss","scoring_elements":"0.44005","published_at":"2026-05-11T12:55:00Z"},{"value":"0.00217","scoring_system":"epss","scoring_elements":"0.44034","published_at":"2026-05-12T12:55:00Z"},{"value":"0.00217","scoring_system":"epss","scoring_elements":"0.44102","published_at":"2026-05-14T12:55:00Z"},{"value":"0.00217","scoring_system":"epss","scoring_elements":"0.4412","published_at":"2026-05-15T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-31864"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990792","reference_id":"990792","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990792"},{"reference_url":"https://security.archlinux.org/ASA-202105-1","reference_id":"ASA-202105-1","reference_type":"","scores":[],"url":"https://security.archlinux.org/ASA-202105-1"},{"reference_url":"https://security.archlinux.org/AVG-1743","reference_id":"AVG-1743","reference_type":"","scores":[{"value":"Critical","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-1743"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/371193?format=json","purl":"pkg:alpm/archlinux/redmine@4.2.1-1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-gjey-bqtd-kqa1"},{"vulnerability":"VCID-pwfc-n1q7-b7e4"},{"vulnerability":"VCID-wg3a-j2dp-ayh4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/redmine@4.2.1-1"}],"aliases":["CVE-2021-31864"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-1fe1-sdn1-jfcw"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/250267?format=json","vulnerability_id":"VCID-7nsr-5xpe-vke4","summary":"Redmine before 4.0.9 and 4.1.x before 4.1.3 allows an attacker to learn the values of internal authentication keys by observing timing differences in string comparison operations within SysController and MailHandlerController.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-31866","reference_id":"","reference_type":"","scores":[{"value":"0.00442","scoring_system":"epss","scoring_elements":"0.6347","published_at":"2026-05-16T12:55:00Z"},{"value":"0.00442","scoring_system":"epss","scoring_elements":"0.63196","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00442","scoring_system":"epss","scoring_elements":"0.63255","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00442","scoring_system":"epss","scoring_elements":"0.63284","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00442","scoring_system":"epss","scoring_elements":"0.63249","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00442","scoring_system":"epss","scoring_elements":"0.633","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00442","scoring_system":"epss","scoring_elements":"0.63318","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00442","scoring_system":"epss","scoring_elements":"0.63335","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00442","scoring_system":"epss","scoring_elements":"0.63319","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00442","scoring_system":"epss","scoring_elements":"0.63283","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00442","scoring_system":"epss","scoring_elements":"0.63327","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00442","scoring_system":"epss","scoring_elements":"0.63306","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00442","scoring_system":"epss","scoring_elements":"0.63325","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00442","scoring_system":"epss","scoring_elements":"0.63338","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00442","scoring_system":"epss","scoring_elements":"0.63336","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00442","scoring_system":"epss","scoring_elements":"0.63308","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00442","scoring_system":"epss","scoring_elements":"0.63352","published_at":"2026-05-07T12:55:00Z"},{"value":"0.00442","scoring_system":"epss","scoring_elements":"0.63405","published_at":"2026-05-09T12:55:00Z"},{"value":"0.00442","scoring_system":"epss","scoring_elements":"0.63366","published_at":"2026-05-11T12:55:00Z"},{"value":"0.00442","scoring_system":"epss","scoring_elements":"0.63392","published_at":"2026-05-12T12:55:00Z"},{"value":"0.00442","scoring_system":"epss","scoring_elements":"0.63446","published_at":"2026-05-14T12:55:00Z"},{"value":"0.00442","scoring_system":"epss","scoring_elements":"0.63456","published_at":"2026-05-15T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-31866"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990792","reference_id":"990792","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990792"},{"reference_url":"https://security.archlinux.org/ASA-202105-1","reference_id":"ASA-202105-1","reference_type":"","scores":[],"url":"https://security.archlinux.org/ASA-202105-1"},{"reference_url":"https://security.archlinux.org/AVG-1743","reference_id":"AVG-1743","reference_type":"","scores":[{"value":"Critical","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-1743"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/371193?format=json","purl":"pkg:alpm/archlinux/redmine@4.2.1-1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-gjey-bqtd-kqa1"},{"vulnerability":"VCID-pwfc-n1q7-b7e4"},{"vulnerability":"VCID-wg3a-j2dp-ayh4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/redmine@4.2.1-1"}],"aliases":["CVE-2021-31866"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-7nsr-5xpe-vke4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/248883?format=json","vulnerability_id":"VCID-8cvp-423x-qfga","summary":"Redmine before 4.0.8 and 4.1.x before 4.1.2 allows attackers to bypass the add_issue_notes permission requirement by leveraging the Issues API.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-30164","reference_id":"","reference_type":"","scores":[{"value":"0.00209","scoring_system":"epss","scoring_elements":"0.43226","published_at":"2026-05-16T12:55:00Z"},{"value":"0.00209","scoring_system":"epss","scoring_elements":"0.43276","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00209","scoring_system":"epss","scoring_elements":"0.43333","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00209","scoring_system":"epss","scoring_elements":"0.43361","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00209","scoring_system":"epss","scoring_elements":"0.43299","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00209","scoring_system":"epss","scoring_elements":"0.43351","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00209","scoring_system":"epss","scoring_elements":"0.43366","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00209","scoring_system":"epss","scoring_elements":"0.43387","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00209","scoring_system":"epss","scoring_elements":"0.43355","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00209","scoring_system":"epss","scoring_elements":"0.4334","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00209","scoring_system":"epss","scoring_elements":"0.434","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00209","scoring_system":"epss","scoring_elements":"0.43389","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00209","scoring_system":"epss","scoring_elements":"0.43324","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00209","scoring_system":"epss","scoring_elements":"0.43257","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00209","scoring_system":"epss","scoring_elements":"0.4326","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00209","scoring_system":"epss","scoring_elements":"0.43182","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00209","scoring_system":"epss","scoring_elements":"0.43049","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00209","scoring_system":"epss","scoring_elements":"0.43127","published_at":"2026-05-07T12:55:00Z"},{"value":"0.00209","scoring_system":"epss","scoring_elements":"0.43143","published_at":"2026-05-09T12:55:00Z"},{"value":"0.00209","scoring_system":"epss","scoring_elements":"0.43082","published_at":"2026-05-11T12:55:00Z"},{"value":"0.00209","scoring_system":"epss","scoring_elements":"0.43113","published_at":"2026-05-12T12:55:00Z"},{"value":"0.00209","scoring_system":"epss","scoring_elements":"0.43176","published_at":"2026-05-14T12:55:00Z"},{"value":"0.00209","scoring_system":"epss","scoring_elements":"0.43196","published_at":"2026-05-15T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-30164"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986800","reference_id":"986800","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986800"},{"reference_url":"https://security.archlinux.org/ASA-202105-1","reference_id":"ASA-202105-1","reference_type":"","scores":[],"url":"https://security.archlinux.org/ASA-202105-1"},{"reference_url":"https://security.archlinux.org/AVG-1743","reference_id":"AVG-1743","reference_type":"","scores":[{"value":"Critical","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-1743"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/371193?format=json","purl":"pkg:alpm/archlinux/redmine@4.2.1-1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-gjey-bqtd-kqa1"},{"vulnerability":"VCID-pwfc-n1q7-b7e4"},{"vulnerability":"VCID-wg3a-j2dp-ayh4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/redmine@4.2.1-1"}],"aliases":["CVE-2021-30164"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-8cvp-423x-qfga"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/250266?format=json","vulnerability_id":"VCID-a2t5-u2dx-5fc2","summary":"Redmine before 4.0.9, 4.1.x before 4.1.3, and 4.2.x before 4.2.1 allows users to circumvent the allowed filename extensions of uploaded attachments.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-31865","reference_id":"","reference_type":"","scores":[{"value":"0.00391","scoring_system":"epss","scoring_elements":"0.60271","published_at":"2026-05-16T12:55:00Z"},{"value":"0.00391","scoring_system":"epss","scoring_elements":"0.60003","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00391","scoring_system":"epss","scoring_elements":"0.60081","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00391","scoring_system":"epss","scoring_elements":"0.60105","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00391","scoring_system":"epss","scoring_elements":"0.60075","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00391","scoring_system":"epss","scoring_elements":"0.60125","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00391","scoring_system":"epss","scoring_elements":"0.60139","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00391","scoring_system":"epss","scoring_elements":"0.6016","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00391","scoring_system":"epss","scoring_elements":"0.60145","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00391","scoring_system":"epss","scoring_elements":"0.60128","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00391","scoring_system":"epss","scoring_elements":"0.60167","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00391","scoring_system":"epss","scoring_elements":"0.60174","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00391","scoring_system":"epss","scoring_elements":"0.60133","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00391","scoring_system":"epss","scoring_elements":"0.60149","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00391","scoring_system":"epss","scoring_elements":"0.60136","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00391","scoring_system":"epss","scoring_elements":"0.60093","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00391","scoring_system":"epss","scoring_elements":"0.6014","published_at":"2026-05-07T12:55:00Z"},{"value":"0.00391","scoring_system":"epss","scoring_elements":"0.60198","published_at":"2026-05-09T12:55:00Z"},{"value":"0.00391","scoring_system":"epss","scoring_elements":"0.60156","published_at":"2026-05-11T12:55:00Z"},{"value":"0.00391","scoring_system":"epss","scoring_elements":"0.60183","published_at":"2026-05-12T12:55:00Z"},{"value":"0.00391","scoring_system":"epss","scoring_elements":"0.60244","published_at":"2026-05-14T12:55:00Z"},{"value":"0.00391","scoring_system":"epss","scoring_elements":"0.60256","published_at":"2026-05-15T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-31865"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990792","reference_id":"990792","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990792"},{"reference_url":"https://security.archlinux.org/ASA-202105-1","reference_id":"ASA-202105-1","reference_type":"","scores":[],"url":"https://security.archlinux.org/ASA-202105-1"},{"reference_url":"https://security.archlinux.org/AVG-1743","reference_id":"AVG-1743","reference_type":"","scores":[{"value":"Critical","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-1743"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/371193?format=json","purl":"pkg:alpm/archlinux/redmine@4.2.1-1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-gjey-bqtd-kqa1"},{"vulnerability":"VCID-pwfc-n1q7-b7e4"},{"vulnerability":"VCID-wg3a-j2dp-ayh4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/redmine@4.2.1-1"}],"aliases":["CVE-2021-31865"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-a2t5-u2dx-5fc2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/250262?format=json","vulnerability_id":"VCID-r8j4-1ux4-6ycy","summary":"Insufficient input validation in the Git repository integration of Redmine before 4.0.9, 4.1.x before 4.1.3, and 4.2.x before 4.2.1 allows Redmine users to read arbitrary local files accessible by the application server process.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-31863","reference_id":"","reference_type":"","scores":[{"value":"0.0079","scoring_system":"epss","scoring_elements":"0.74052","published_at":"2026-05-16T12:55:00Z"},{"value":"0.0079","scoring_system":"epss","scoring_elements":"0.73819","published_at":"2026-04-01T12:55:00Z"},{"value":"0.0079","scoring_system":"epss","scoring_elements":"0.73828","published_at":"2026-04-02T12:55:00Z"},{"value":"0.0079","scoring_system":"epss","scoring_elements":"0.73853","published_at":"2026-04-04T12:55:00Z"},{"value":"0.0079","scoring_system":"epss","scoring_elements":"0.73824","published_at":"2026-04-07T12:55:00Z"},{"value":"0.0079","scoring_system":"epss","scoring_elements":"0.73858","published_at":"2026-04-08T12:55:00Z"},{"value":"0.0079","scoring_system":"epss","scoring_elements":"0.73871","published_at":"2026-04-09T12:55:00Z"},{"value":"0.0079","scoring_system":"epss","scoring_elements":"0.73893","published_at":"2026-04-11T12:55:00Z"},{"value":"0.0079","scoring_system":"epss","scoring_elements":"0.73874","published_at":"2026-04-12T12:55:00Z"},{"value":"0.0079","scoring_system":"epss","scoring_elements":"0.73866","published_at":"2026-04-13T12:55:00Z"},{"value":"0.0079","scoring_system":"epss","scoring_elements":"0.73908","published_at":"2026-04-16T12:55:00Z"},{"value":"0.0079","scoring_system":"epss","scoring_elements":"0.73917","published_at":"2026-04-18T12:55:00Z"},{"value":"0.0079","scoring_system":"epss","scoring_elements":"0.73909","published_at":"2026-04-21T12:55:00Z"},{"value":"0.0079","scoring_system":"epss","scoring_elements":"0.73943","published_at":"2026-04-24T12:55:00Z"},{"value":"0.0079","scoring_system":"epss","scoring_elements":"0.73952","published_at":"2026-04-29T12:55:00Z"},{"value":"0.0079","scoring_system":"epss","scoring_elements":"0.73947","published_at":"2026-05-05T12:55:00Z"},{"value":"0.0079","scoring_system":"epss","scoring_elements":"0.73974","published_at":"2026-05-07T12:55:00Z"},{"value":"0.0079","scoring_system":"epss","scoring_elements":"0.73997","published_at":"2026-05-09T12:55:00Z"},{"value":"0.0079","scoring_system":"epss","scoring_elements":"0.73958","published_at":"2026-05-11T12:55:00Z"},{"value":"0.0079","scoring_system":"epss","scoring_elements":"0.73982","published_at":"2026-05-12T12:55:00Z"},{"value":"0.0079","scoring_system":"epss","scoring_elements":"0.74037","published_at":"2026-05-14T12:55:00Z"},{"value":"0.0079","scoring_system":"epss","scoring_elements":"0.74043","published_at":"2026-05-15T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-31863"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990792","reference_id":"990792","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990792"},{"reference_url":"https://security.archlinux.org/ASA-202105-1","reference_id":"ASA-202105-1","reference_type":"","scores":[],"url":"https://security.archlinux.org/ASA-202105-1"},{"reference_url":"https://security.archlinux.org/AVG-1743","reference_id":"AVG-1743","reference_type":"","scores":[{"value":"Critical","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-1743"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/371193?format=json","purl":"pkg:alpm/archlinux/redmine@4.2.1-1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-gjey-bqtd-kqa1"},{"vulnerability":"VCID-pwfc-n1q7-b7e4"},{"vulnerability":"VCID-wg3a-j2dp-ayh4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/redmine@4.2.1-1"}],"aliases":["CVE-2021-31863"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-r8j4-1ux4-6ycy"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/247791?format=json","vulnerability_id":"VCID-yjxe-atwc-6yec","summary":"Redmine 4.1.x before 4.1.2 allows XSS because an issue's subject is mishandled in the auto complete tip.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-29274","reference_id":"","reference_type":"","scores":[{"value":"0.00323","scoring_system":"epss","scoring_elements":"0.5543","published_at":"2026-05-16T12:55:00Z"},{"value":"0.00323","scoring_system":"epss","scoring_elements":"0.55244","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00323","scoring_system":"epss","scoring_elements":"0.55343","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00323","scoring_system":"epss","scoring_elements":"0.55368","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00323","scoring_system":"epss","scoring_elements":"0.55346","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00323","scoring_system":"epss","scoring_elements":"0.55396","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00323","scoring_system":"epss","scoring_elements":"0.55407","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00323","scoring_system":"epss","scoring_elements":"0.55385","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00323","scoring_system":"epss","scoring_elements":"0.55367","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00323","scoring_system":"epss","scoring_elements":"0.55402","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00323","scoring_system":"epss","scoring_elements":"0.55386","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00323","scoring_system":"epss","scoring_elements":"0.55325","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00323","scoring_system":"epss","scoring_elements":"0.55345","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00323","scoring_system":"epss","scoring_elements":"0.55317","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00323","scoring_system":"epss","scoring_elements":"0.55266","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00323","scoring_system":"epss","scoring_elements":"0.55308","published_at":"2026-05-07T12:55:00Z"},{"value":"0.00323","scoring_system":"epss","scoring_elements":"0.55365","published_at":"2026-05-09T12:55:00Z"},{"value":"0.00323","scoring_system":"epss","scoring_elements":"0.55326","published_at":"2026-05-11T12:55:00Z"},{"value":"0.00323","scoring_system":"epss","scoring_elements":"0.55352","published_at":"2026-05-12T12:55:00Z"},{"value":"0.00323","scoring_system":"epss","scoring_elements":"0.55412","published_at":"2026-05-14T12:55:00Z"},{"value":"0.00323","scoring_system":"epss","scoring_elements":"0.55428","published_at":"2026-05-15T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-29274"},{"reference_url":"https://security.archlinux.org/ASA-202105-1","reference_id":"ASA-202105-1","reference_type":"","scores":[],"url":"https://security.archlinux.org/ASA-202105-1"},{"reference_url":"https://security.archlinux.org/AVG-1743","reference_id":"AVG-1743","reference_type":"","scores":[{"value":"Critical","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-1743"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/371193?format=json","purl":"pkg:alpm/archlinux/redmine@4.2.1-1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-gjey-bqtd-kqa1"},{"vulnerability":"VCID-pwfc-n1q7-b7e4"},{"vulnerability":"VCID-wg3a-j2dp-ayh4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/redmine@4.2.1-1"}],"aliases":["CVE-2021-29274"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-yjxe-atwc-6yec"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/248881?format=json","vulnerability_id":"VCID-zbef-znuk-eqhr","summary":"Redmine before 4.0.8 and 4.1.x before 4.1.2 allows attackers to discover the names of private projects if issue-journal details exist that have changes to project_id values.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-30163","reference_id":"","reference_type":"","scores":[{"value":"0.00495","scoring_system":"epss","scoring_elements":"0.65955","published_at":"2026-05-16T12:55:00Z"},{"value":"0.00495","scoring_system":"epss","scoring_elements":"0.65678","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00495","scoring_system":"epss","scoring_elements":"0.65728","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00495","scoring_system":"epss","scoring_elements":"0.65758","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00495","scoring_system":"epss","scoring_elements":"0.65723","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00495","scoring_system":"epss","scoring_elements":"0.65776","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00495","scoring_system":"epss","scoring_elements":"0.65787","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00495","scoring_system":"epss","scoring_elements":"0.65807","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00495","scoring_system":"epss","scoring_elements":"0.65793","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00495","scoring_system":"epss","scoring_elements":"0.65763","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00495","scoring_system":"epss","scoring_elements":"0.65798","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00495","scoring_system":"epss","scoring_elements":"0.65812","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00495","scoring_system":"epss","scoring_elements":"0.65811","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00495","scoring_system":"epss","scoring_elements":"0.65822","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00495","scoring_system":"epss","scoring_elements":"0.65796","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00495","scoring_system":"epss","scoring_elements":"0.65843","published_at":"2026-05-07T12:55:00Z"},{"value":"0.00495","scoring_system":"epss","scoring_elements":"0.65887","published_at":"2026-05-09T12:55:00Z"},{"value":"0.00495","scoring_system":"epss","scoring_elements":"0.65858","published_at":"2026-05-11T12:55:00Z"},{"value":"0.00495","scoring_system":"epss","scoring_elements":"0.65877","published_at":"2026-05-12T12:55:00Z"},{"value":"0.00495","scoring_system":"epss","scoring_elements":"0.65933","published_at":"2026-05-14T12:55:00Z"},{"value":"0.00495","scoring_system":"epss","scoring_elements":"0.65943","published_at":"2026-05-15T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-30163"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986800","reference_id":"986800","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986800"},{"reference_url":"https://security.archlinux.org/ASA-202105-1","reference_id":"ASA-202105-1","reference_type":"","scores":[],"url":"https://security.archlinux.org/ASA-202105-1"},{"reference_url":"https://security.archlinux.org/AVG-1743","reference_id":"AVG-1743","reference_type":"","scores":[{"value":"Critical","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-1743"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/371193?format=json","purl":"pkg:alpm/archlinux/redmine@4.2.1-1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-gjey-bqtd-kqa1"},{"vulnerability":"VCID-pwfc-n1q7-b7e4"},{"vulnerability":"VCID-wg3a-j2dp-ayh4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/redmine@4.2.1-1"}],"aliases":["CVE-2021-30163"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-zbef-znuk-eqhr"}],"risk_score":"4.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/redmine@4.2.1-1"}