oss-sec mailing list archives

Re: CVE request: redmine open redirector

From: cve-assign () mitre org
Date: Thu, 10 Apr 2014 08:05:33 -0400 (EDT)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Redmine versions 2.4.5 and 2.5.1 fixed an open redirector issue. The
code verifying the redirection URIs accepted scheme-relative URIs
which can lead to different hosts:

http://www.redmine.org/projects/redmine/wiki/Security_Advisories
http://www.redmine.org/projects/redmine/wiki/Changelog
https://github.com/redmine/redmine/commit/7567c3d8b21fe67e5f04e6839c1fce061600f2f3


On the Redmine Security Advisories page, "(referenced as
JVN#93004610)" would typically imply that these URLs may exist later:

  http://jvn.jp/jp/JVN93004610/index.html
  http://jvn.jp/en/jp/JVN93004610/index.html

Use CVE-2014-1985.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJTRoieAAoJEKllVAevmvmsziwIAJ3vaw7fWg8eOQqCTDycCLtO
mHZsUF2YJxNPIo1L916ZAzIL2e7Xd7s6DlK1hoOJIpaNcgSu26YFK307Zv3NNAQ0
nmWCl+s6VIgsi6YMzFmmSjllMMMwWzF41PoaFwjGbl9HEkN6Ted3TCIjG0PMWlSk
tbV2uW6AVT15QZw08FIphSrLrsj0HHeLtSn/yHuo1bh1yc4a6pQyn6zmdIiG+W4E
YypkH16jDoRXqJPDZeWABd/7fbfiZTOozgBUkgBbeV0/vKAsft7+6hnSKZGGhe1q
J2a22CKuF2dH6HbcNhnIQ46lP2/ZVY+9pkOHNu4w51OHGynB8vDiRw3JtWgkC2o=
=BSF/
-----END PGP SIGNATURE-----

Current thread:

CVE request: redmine open redirector Florian Weimer (Apr 06)
- Re: CVE request: redmine open redirector cve-assign (Apr 10)