CVE-2017-16804 - OpenCVE

In Redmine before 3.2.7 and 3.3.x before 3.3.4, the reminders function in app/models/mailer.rb does not check whether an issue is visible, which allows remote authenticated users to obtain sensitive information by reading e-mail reminder messages.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:S/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Debian	Debian Linux
Redmine	Redmine

Configuration 1 [-]

OR	cpe:2.3:a:redmine:redmine::::::::
	cpe:2.3:a:redmine:redmine:3.3.0:::::::*
	cpe:2.3:a:redmine:redmine:3.3.1:::::::*
	cpe:2.3:a:redmine:redmine:3.3.2:::::::*
	cpe:2.3:a:redmine:redmine:3.3.3:::::::*

Configuration 2 [-]

cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/redmine/redmine/commit/0f09f161f64f4190a52166675ff380a15b72a8bc
https://www.debian.org/security/2018/dsa-4191
https://www.redmine.org/issues/25713
https://www.redmine.org/projects/redmine/wiki/Security_Advisories

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2017-11-13T20:00:00

Updated: 2024-08-05T20:35:21.015Z

Reserved: 2017-11-13T00:00:00

Link: CVE-2017-16804

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2017-11-13T20:29:00.460

Modified: 2019-04-30T15:56:31.437

Link: CVE-2017-16804

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2017-11-13T00:00:00", "descriptions": [{"lang": "en", "value": "In Redmine before 3.2.7 and 3.3.x before 3.3.4, the reminders function in app/models/mailer.rb does not check whether an issue is visible, which allows remote authenticated users to obtain sensitive information by reading e-mail reminder messages."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-05-04T09:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.redmine.org/projects/redmine/wiki/Security_Advisories"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/redmine/redmine/commit/0f09f161f64f4190a52166675ff380a15b72a8bc"}, {"name": "DSA-4191", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "https://www.debian.org/security/2018/dsa-4191"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://www.redmine.org/issues/25713"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2017-16804", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In Redmine before 3.2.7 and 3.3.x before 3.3.4, the reminders function in app/models/mailer.rb does not check whether an issue is visible, which allows remote authenticated users to obtain sensitive information by reading e-mail reminder messages."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://www.redmine.org/projects/redmine/wiki/Security_Advisories", "refsource": "CONFIRM", "url": "https://www.redmine.org/projects/redmine/wiki/Security_Advisories"}, {"name": "https://github.com/redmine/redmine/commit/0f09f161f64f4190a52166675ff380a15b72a8bc", "refsource": "CONFIRM", "url": "https://github.com/redmine/redmine/commit/0f09f161f64f4190a52166675ff380a15b72a8bc"}, {"name": "DSA-4191", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2018/dsa-4191"}, {"name": "https://www.redmine.org/issues/25713", "refsource": "CONFIRM", "url": "https://www.redmine.org/issues/25713"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T20:35:21.015Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.redmine.org/projects/redmine/wiki/Security_Advisories"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/redmine/redmine/commit/0f09f161f64f4190a52166675ff380a15b72a8bc"}, {"name": "DSA-4191", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "https://www.debian.org/security/2018/dsa-4191"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.redmine.org/issues/25713"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2017-16804", "datePublished": "2017-11-13T20:00:00", "dateReserved": "2017-11-13T00:00:00", "dateUpdated": "2024-08-05T20:35:21.015Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redmine:redmine:*:*:*:*:*:*:*:*", "matchCriteriaId": "C34F71DA-BA2C-4595-B702-FF2CB4229C4B", "versionEndExcluding": "3.2.7", "vulnerable": true}, {"criteria": "cpe:2.3:a:redmine:redmine:3.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "196CF994-54D8-4E36-B37E-EAF1CC108F61", "vulnerable": true}, {"criteria": "cpe:2.3:a:redmine:redmine:3.3.1:*:*:*:*:*:*:*", "matchCriteriaId": "5AE4FC9C-3291-4344-81D5-83BA91D52FA7", "vulnerable": true}, {"criteria": "cpe:2.3:a:redmine:redmine:3.3.2:*:*:*:*:*:*:*", "matchCriteriaId": "67E1F17B-7B25-48B3-8953-18C47D99B443", "vulnerable": true}, {"criteria": "cpe:2.3:a:redmine:redmine:3.3.3:*:*:*:*:*:*:*", "matchCriteriaId": "9ADF69D6-449E-4845-811D-D588B4D05665", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In Redmine before 3.2.7 and 3.3.x before 3.3.4, the reminders function in app/models/mailer.rb does not check whether an issue is visible, which allows remote authenticated users to obtain sensitive information by reading e-mail reminder messages."}, {"lang": "es", "value": "En Redmine en versiones anteriores a la 3.2.7 y las versiones 3.3.x anteriores a la 3.3.4, la funci\u00f3n reminders en app/models/mailer.rb no comprueba si un problema es visible, lo que permite que usuarios remotos autenticados obtengan informaci\u00f3n sensible leyendo mensajes de recordatorio de correo electr\u00f3nico."}], "id": "CVE-2017-16804", "lastModified": "2019-04-30T15:56:31.437", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-11-13T20:29:00.460", "references": [{"source": "cve@mitre.org", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://github.com/redmine/redmine/commit/0f09f161f64f4190a52166675ff380a15b72a8bc"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2018/dsa-4191"}, {"source": "cve@mitre.org", "tags": ["Permissions Required"], "url": "https://www.redmine.org/issues/25713"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://www.redmine.org/projects/redmine/wiki/Security_Advisories"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "nvd@nist.gov", "type": "Primary"}]}