Login Sign Up

CVE-2021-30164

9.8 CRITICAL
Authentication Bypass

📋 TL;DR

This vulnerability allows attackers to bypass the 'add_issue_notes' permission requirement in Redmine by exploiting the Issues API. Attackers can add unauthorized comments to issues even without proper permissions. This affects Redmine installations before version 4.0.8 and 4.1.x before 4.1.2.

💻 Affected Systems

Products:
  • Redmine
Versions: Redmine before 4.0.8 and 4.1.x before 4.1.2
Operating Systems: All operating systems running affected Redmine versions
Default Config Vulnerable: ⚠️ Yes
Notes: All Redmine installations using affected versions are vulnerable regardless of configuration.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Redmine by Redmine

View all CVEs affecting Redmine →

Redmine by Redmine

View all CVEs affecting Redmine →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could add malicious content, false information, or sensitive data to issues, potentially disrupting workflows, leaking information, or causing reputational damage.

🟠

Likely Case

Unauthorized users add inappropriate or misleading comments to issues, causing confusion and requiring cleanup by administrators.

🟢

If Mitigated

With proper access controls and monitoring, impact is limited to minor data integrity issues that can be quickly identified and reverted.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires API access but bypasses specific permission checks. No public exploit code has been identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Redmine 4.0.8 or 4.1.2

Vendor Advisory: https://www.redmine.org/projects/redmine/wiki/Security_Advisories

Restart Required: Yes

Instructions:

1. Backup your Redmine database and files. 2. Download and install Redmine 4.0.8 or 4.1.2 from the official website. 3. Follow the Redmine upgrade documentation for your specific version. 4. Restart your web server and application server.

🔧 Temporary Workarounds

Disable Issues API

all

Temporarily disable the Issues API endpoint to prevent exploitation while planning upgrade.

# Modify Redmine configuration to restrict API access
# Consult Redmine documentation for API disabling methods

Restrict API Access

all

Implement network-level restrictions to limit API access to trusted IP addresses only.

# Use web server configuration (e.g., Apache .htaccess, Nginx location blocks)
# Example for Apache: Require ip 192.168.1.0/24
# Example for Nginx: allow 192.168.1.0/24; deny all;

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate Redmine from untrusted networks
  • Enable detailed API access logging and monitor for unauthorized issue note additions

🔍 How to Verify

Check if Vulnerable:

Check your Redmine version via the web interface (Admin → Information) or by examining the Redmine installation directory.

Check Version:

grep -r 'REDMINE_VERSION' /path/to/redmine/config/environment.rb 2>/dev/null || echo 'Check web interface Admin → Information'

Verify Fix Applied:

After upgrading, verify the version shows 4.0.8 or higher (for 4.0.x) or 4.1.2 or higher (for 4.1.x). Test that only users with 'add_issue_notes' permission can add notes via API.

📡 Detection & Monitoring

Log Indicators:

  • Unusual API requests adding issue notes from unauthorized users
  • API access logs showing note additions without proper authentication

Network Indicators:

  • Increased API traffic to issues endpoints
  • Unusual patterns in issue modification requests

SIEM Query:

source="redmine_logs" AND (message="*added note*" OR message="*issue updated*") AND user NOT IN [authorized_users_list]

📊 Metadata

CVE ID: CVE-2021-30164
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: April 6, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON