Redmine before 4.0.9 and 4.1.x before 4.1.3 allows an attacker to learn the values of internal authentication keys by observing timing differences in string comparison operations within SysController and MailHandlerController.
{ "cpes": [ "cpe:2.3:a:redmine:redmine:*:*:*:*:*:*:*:*" ], "severity": "Medium" }