Vulnerabilities > CVE-2017-15572 - Information Exposure Through Log Files vulnerability in multiple products

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

NONE

Availability impact

NONE

network

low complexity

redmine

debian

CWE-532

nessus

NVD

Published: 2017-10-18

Updated: 2019-03-14

Summary

In Redmine before 3.2.6 and 3.3.x before 3.3.3, remote attackers can obtain sensitive information (password reset tokens) by reading a Referer log, because account/lost_password does not use a redirect.

Vulnerable Configurations

Part	Description	Count
Application	Redmine Redmine Redmine 3.3.0 Redmine Redmine 3.3.1 Redmine Redmine 3.3.2 Redmine Redmine 0.1.0 Redmine Redmine 0.2.0 Redmine Redmine 0.2.1 Redmine Redmine 0.2.2 Redmine Redmine 0.3.0 Redmine Redmine 0.4.0 Redmine Redmine 0.4.1 Redmine Redmine 0.4.2 Redmine Redmine 0.5.0 Redmine Redmine 0.5.1 Redmine Redmine 0.6.0 Redmine Redmine 0.6.1 Redmine Redmine 0.6.2 Redmine Redmine 0.6.3 Redmine Redmine 0.6.4 Redmine Redmine 0.7.0 Redmine Redmine 0.7.1 Redmine Redmine 0.7.2 Redmine Redmine 0.7.3 Redmine Redmine 0.7.4 Redmine Redmine 0.8.0 Redmine Redmine 0.8.1 Redmine Redmine 0.8.2 Redmine Redmine 0.8.3 Redmine Redmine 0.8.4 Redmine Redmine 0.8.5 Redmine Redmine 0.8.6 Redmine Redmine 0.8.7 Redmine Redmine 0.9.0 Redmine Redmine 0.9.1 Redmine Redmine 0.9.2 Redmine Redmine 0.9.3 Redmine Redmine 0.9.4 Redmine Redmine 0.9.5 Redmine Redmine 0.9.6 Redmine Redmine 1.0.0 Redmine Redmine 1.0.1 Redmine Redmine 1.0.2 Redmine Redmine 1.0.3 Redmine Redmine 1.0.4 Redmine Redmine 1.0.5 Redmine Redmine 1.1.0 Redmine Redmine 1.1.1 Redmine Redmine 1.1.2 Redmine Redmine 1.1.3 Redmine Redmine 1.2.0 Redmine Redmine 1.2.1 Redmine Redmine 1.2.2 Redmine Redmine 1.2.3 Redmine Redmine 1.3.0 Redmine Redmine 1.3.1 Redmine Redmine 1.3.2 Redmine Redmine 1.3.3 Redmine Redmine 1.4.0 Redmine Redmine 1.4.1 Redmine Redmine 1.4.2 Redmine Redmine 1.4.3 Redmine Redmine 1.4.4 Redmine Redmine 1.4.5 Redmine Redmine 1.4.6 Redmine Redmine 1.4.7 Redmine Redmine 2.0.0 Redmine Redmine 2.0.1 Redmine Redmine 2.0.2 Redmine Redmine 2.0.3 Redmine Redmine 2.0.4 Redmine Redmine 2.1.0 Redmine Redmine 2.1.1 Redmine Redmine 2.1.2 Redmine Redmine 2.1.3 Redmine Redmine 2.1.4 Redmine Redmine 2.1.5 Redmine Redmine 2.1.6 Redmine Redmine 2.2.0 Redmine Redmine 2.2.1 Redmine Redmine 2.2.2 Redmine Redmine 2.2.3 Redmine Redmine 2.2.4 Redmine Redmine 2.3.0 Redmine Redmine 2.3.1 Redmine Redmine 2.3.2 Redmine Redmine 2.3.3 Redmine Redmine 2.3.4 Redmine Redmine 2.4.0 Redmine Redmine 2.4.1 Redmine Redmine 2.4.2 Redmine Redmine 2.4.3 Redmine Redmine 2.4.4 Redmine Redmine 2.4.5 Redmine Redmine 2.4.6 Redmine Redmine 2.4.7 Redmine Redmine 2.5.0 Redmine Redmine 2.5.1 Redmine Redmine 2.5.2 Redmine Redmine 2.5.3 Redmine Redmine 2.6.0 Redmine Redmine 2.6.1 Redmine Redmine 2.6.2 Redmine Redmine 2.6.3 Redmine Redmine 2.6.4 Redmine Redmine 2.6.5 Redmine Redmine 2.6.6 Redmine Redmine 2.6.7 Redmine Redmine 2.6.8 Redmine Redmine 2.6.9 Redmine Redmine 2.6.10 Redmine Redmine 3.0.0 Redmine Redmine 3.0.1 Redmine Redmine 3.0.2 Redmine Redmine 3.0.3 Redmine Redmine 3.0.4 Redmine Redmine 3.0.5 Redmine Redmine 3.0.6 Redmine Redmine 3.0.7 Redmine Redmine 3.1.0 Redmine Redmine 3.1.1 Redmine Redmine 3.1.2 Redmine Redmine 3.1.3 Redmine Redmine 3.1.4 Redmine Redmine 3.1.5 Redmine Redmine 3.1.6 Redmine Redmine 3.1.7 Redmine Redmine 3.2.0 Redmine Redmine 3.2.1 Redmine Redmine 3.2.2 Redmine Redmine 3.2.3 Redmine Redmine 3.2.4 Redmine Redmine 3.2.5	135
OS	Debian Debian Debian Linux 9.0	1

Common Weakness Enumeration (CWE)

CWE-532 - Information Exposure Through Log Files

Common Attack Pattern Enumeration and Classification (CAPEC)

Fuzzing and observing application log data/errors for application mapping
An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. Fuzzing techniques involve sending random or malformed messages to a target and monitoring the target's response. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash. By observing logs and error messages, the attacker can learn details about the configuration of the target application and might be able to cause the target to disclose sensitive information.

Nessus

NASL family	Debian Local Security Checks
NASL id	DEBIAN_DSA-4191.NASL
description	Multiple vulnerabilities were discovered in Redmine, a project management web application. They could lead to remote code execution, information disclosure or cross-site scripting attacks.
last seen	2020-06-01
modified	2020-06-02
plugin id	109558
published	2018-05-04
reporter	This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/109558
title	Debian DSA-4191-1 : redmine - security update
code	# # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-4191. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(109558); script_version("1.4"); script_cvs_date("Date: 2018/11/13 12:30:47"); script_cve_id("CVE-2017-15568", "CVE-2017-15569", "CVE-2017-15570", "CVE-2017-15571", "CVE-2017-15572", "CVE-2017-15573", "CVE-2017-15574", "CVE-2017-15575", "CVE-2017-15576", "CVE-2017-15577", "CVE-2017-16804", "CVE-2017-18026"); script_xref(name:"DSA", value:"4191"); script_name(english:"Debian DSA-4191-1 : redmine - security update"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Multiple vulnerabilities were discovered in Redmine, a project management web application. They could lead to remote code execution, information disclosure or cross-site scripting attacks." ); script_set_attribute( attribute:"see_also", value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882544" ); script_set_attribute( attribute:"see_also", value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882545" ); script_set_attribute( attribute:"see_also", value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882547" ); script_set_attribute( attribute:"see_also", value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882548" ); script_set_attribute( attribute:"see_also", value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=887307" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/source-package/redmine" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/stretch/redmine" ); script_set_attribute( attribute:"see_also", value:"https://www.debian.org/security/2018/dsa-4191" ); script_set_attribute( attribute:"solution", value: "Upgrade the redmine packages. For the stable distribution (stretch), these problems have been fixed in version 3.3.1-4+deb9u1. In addition, this message serves as an announcement that security support for redmine in the Debian 8 oldstable release (jessie) is now discontinued. Users of redmine in Debian 8 that want security updates are strongly encouraged to upgrade now to the current Debian 9 stable release (stretch)." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:redmine"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:9.0"); script_set_attribute(attribute:"patch_publication_date", value:"2018/05/03"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/05/04"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"9.0", prefix:"redmine", reference:"3.3.1-4+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"redmine-mysql", reference:"3.3.1-4+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"redmine-pgsql", reference:"3.3.1-4+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"redmine-sqlite", reference:"3.3.1-4+deb9u1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

Nessus

References