Name | CVE-2017-16854 |
Description | In Open Ticket Request System (OTRS) through 3.3.20, 4 through 4.0.26, 5 through 5.0.24, and 6 through 6.0.1, an attacker who is logged in as a customer can use the ticket search form to disclose internal article information of their customer tickets. |
Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
References | DLA-1212-1, DSA-4066-1 |
The table below lists information on source packages.
Source Package | Release | Version | Status |
---|---|---|---|
otrs2 (PTS) | jessie, jessie (lts) | 3.3.18-1+deb8u15 | fixed |
stretch/non-free (security), stretch/non-free (lts), stretch/non-free | 5.0.16-1+deb9u6 | fixed | |
buster/non-free (security), buster/non-free | 6.0.16-2+deb10u1 | fixed | |
bullseye/non-free | 6.0.32-6 | fixed |
The information below is based on the following data on fixed versions.
Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
---|---|---|---|---|---|---|
otrs2 | source | wheezy | 3.3.18-1~deb7u2 | DLA-1212-1 | ||
otrs2 | source | jessie | 3.3.18-1+deb8u3 | DSA-4066-1 | ||
otrs2 | source | stretch | 5.0.16-1+deb9u4 | DSA-4066-1 | ||
otrs2 | source | (unstable) | 6.0.2-1 |
https://www.otrs.com/security-advisory-2017-08-security-update-otrs-framework/
https://bugs.otrs.org/show_bug.cgi?id=13347
OTRS-6: https://github.com/OTRS/otrs/commit/867aba14900f17caacb0285a08b6981bbdbbe016
OTRS-5: https://github.com/OTRS/otrs/commit/8748d040058695fda5c9cfcb2a78d8947ed4188d
OTRS-4: https://github.com/OTRS/otrs/commit/e0deab303e3d0f7c860bba291410512734f4d6b0