Candidate: CVE-2012-2054
PublicDate: 2012-04-05 14:55:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2054
 http://www.redmine.org/versions/42
 http://www.redmine.org/issues/10390
 http://www.redmine.org/boards/2/topics/29343
Description:
 Redmine before 1.3.2 does not properly restrict the use of a hash to
 provide values for a model's attributes, which allows remote attackers to
 set attributes in the (1) Comment, (2) Document, (3) IssueCategory, (4)
 MembersController, (5) Message, (6) News, (7) TimeEntry, (8) Version, (9)
 Wiki, (10) UserPreference, or (11) Board model via a modified URL, related
 to a "mass assignment" vulnerability, a different vulnerability than
 CVE-2012-0327.
Ubuntu-Description:
Notes:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS: 

Patches_redmine:
upstream_redmine: released (1.3.2+dfsg1-1)
hardy_redmine: DNE
lucid_redmine: ignored (reached end-of-life)
maverick_redmine: ignored (reached end-of-life)
natty_redmine: ignored (reached end-of-life)
oneiric_redmine: ignored (reached end-of-life)
precise_redmine: not-affected (1.3.2+dfsg1-1ubuntu1)
quantal_redmine: not-affected (1.3.2+dfsg1-1ubuntu1)
raring_redmine: not-affected (1.3.2+dfsg1-1ubuntu1)
saucy_redmine: not-affected (1.3.2+dfsg1-1ubuntu1)
devel_redmine: not-affected (1.3.2+dfsg1-1ubuntu1)