Candidate: CVE-2019-18890
PublicDate: 2019-11-21 18:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18890
 https://www.redmine.org/news/125
 https://www.redmine.org/projects/redmine/repository/revisions/16196
 https://www.redmine.org/issues/32374
 https://ubuntu.com/security/notices/USN-4200-1
Description:
 A SQL injection vulnerability in Redmine through 3.2.9 and 3.3.x before
 3.3.10 allows Redmine users to access protected information via a crafted
 object query.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N [6.5 MEDIUM]


Patches_redmine:
 upstream: https://github.com/redmine/redmine/commit/04d4a1a191c46e4595ed455372e86c66cf3f6ed7#diff-72469d98e80a60152ebcfa998306b5ecL581-R584
upstream_redmine: released (3.4.2-1)
precise/esm_redmine: DNE
trusty_redmine: ignored (out of standard support)
trusty/esm_redmine: DNE
xenial_redmine: released (3.2.1-2ubuntu0.2)
bionic_redmine: not-affected (3.4.4-1)
disco_redmine: not-affected
eoan_redmine: not-affected
devel_redmine: not-affected