CVE-2021-37156 | Vulnerability Database | Aqua Security

NVD

https://nvd.nist.gov/vuln/detail/CVE-2021-37156

CWE

https://cwe.mitre.org/data/definitions/613.html

Redmine 4.2.0 and 4.2.1 allow existing user sessions to continue upon enabling two-factor authentication for the users account, but the intended behavior is for those sessions to be terminated.

Weakness

According to WASC, “Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization.”

Affected Software

Name	Vendor	Start Version	End Version
Redmine	Redmine	4.2.0 (including)	4.2.0 (including)
Redmine	Redmine	4.2.1 (including)	4.2.1 (including)
Redmine	Ubuntu	bionic	*
Redmine	Ubuntu	focal	*
Redmine	Ubuntu	kinetic	*
Redmine	Ubuntu	lunar	*
Redmine	Ubuntu	mantic	*
Redmine	Ubuntu	trusty	*
Redmine	Ubuntu	xenial	*

Potential Mitigations

References

https://www.redmine.org/news/132
https://www.redmine.org/projects/redmine/wiki/Security_Advisories
https://www.redmine.org/news/132
https://www.redmine.org/projects/redmine/wiki/Security_Advisories