Timing Attack Vulnerability in Redmine by Jean-Philippe Lang
CVE-2021-31866

5.3MEDIUM

Key Information:

Vendor

Redmine

Status
Redmine
Vendor
CVE Published:
28 April 2021

What is CVE-2021-31866?

Redmine versions prior to 4.0.9 and 4.1.x before 4.1.3 are susceptible to a timing attack that allows an external attacker to infer sensitive internal authentication keys based on the timing differences observed in string comparison operations executed within SysController and MailHandlerController. This vulnerability highlights weaknesses in the application's handling of cryptographic operations, which could lead to unauthorized access or further exploitation.

References

https://www.redmine.org/projects/redmine/wiki/Security_Ad...
x_refsource_MISC
https://www.redmine.org/news/131
x_refsource_MISC
https://lists.debian.org/debian-lts-announce/2021/05/msg0...
mailing-listx_refsource_MLIST

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.