Redmine before 4.0.8 and 4.1.x before 4.1.2 allows attackers to discover the names of private projects if issue-journal details exist that have changes to project_id values.
{ "binaries": [ { "binary_version": "3.2.1-2ubuntu0.2", "binary_name": "redmine" }, { "binary_version": "3.2.1-2ubuntu0.2", "binary_name": "redmine-mysql" }, { "binary_version": "3.2.1-2ubuntu0.2", "binary_name": "redmine-pgsql" }, { "binary_version": "3.2.1-2ubuntu0.2", "binary_name": "redmine-sqlite" } ] }
{ "binaries": [ { "binary_version": "3.4.4-1ubuntu0.1", "binary_name": "redmine" }, { "binary_version": "3.4.4-1ubuntu0.1", "binary_name": "redmine-mysql" }, { "binary_version": "3.4.4-1ubuntu0.1", "binary_name": "redmine-pgsql" }, { "binary_version": "3.4.4-1ubuntu0.1", "binary_name": "redmine-sqlite" } ] }