[Japanese]

JVNDB-2024-000055

Redmine DMSF Plugin vulnerable to path traversal

Overview

Redmine DMSF Plugin provided by Kontron contains a path traversal vulnerability (CWE-22).

Tsukuba Secure Network Research Co. Ltd. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 8.8 (High) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
Affected Products


Kontron
  • Redmine DMSF Plugin versions prior to 3.1.4

Impact

When the affected version of the plugin is enabled on the Redmine instance, the logged-in user may obtain or delete arbitrary files on the server (within the privilege of the Redmine process).
Solution

[Update the Software]
Update the software to the latest version according to the information provided by the developer.
Version 3.1.4 has addressed this vulnerability.
Vendor Information

Kontron
CWE (What is CWE?)

  1. Path Traversal(CWE-22) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2024-36267
References

  1. JVN : JVN#22182715
Revision History

  • [2024/05/29]
      Web page was published

Date Public2024/05/29
Date First Published2024/05/29
Date Last Updated2024/05/29