{"id":"CVE-2019-18890","details":"A SQL injection vulnerability in Redmine through 3.2.9 and 3.3.x before 3.3.10 allows Redmine users to access protected information via a crafted object query.","modified":"2026-04-10T04:16:11.075949Z","published":"2019-11-21T18:15:11.883Z","references":[{"type":"WEB","url":"https://seclists.org/bugtraq/2019/Nov/31"},{"type":"WEB","url":"https://usn.ubuntu.com/4200-1/"},{"type":"ADVISORY","url":"https://www.debian.org/security/2019/dsa-4574"},{"type":"ADVISORY","url":"https://www.redmine.org/projects/redmine/wiki/Security_Advisories"},{"type":"ADVISORY","url":"https://security-tracker.debian.org/tracker/CVE-2019-18890"},{"type":"PACKAGE","url":"https://github.com/RealLinkers/CVE-2019-18890"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/redmine/redmine","events":[{"introduced":"0"},{"fixed":"d48fdb632324123bb8c49ad95f06a871d349ec70"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"3.3.10"}]}}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-18890.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"9.0"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}]}