CVE-2019-12497

NameCVE-2019-12497
DescriptionAn issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.8, Community Edition 6.0.x through 6.0.19, and Community Edition 5.0.x through 5.0.36. In the customer or external frontend, personal information of agents (e.g., Name and mail address) can be disclosed in external notes.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-1816-1, DLA-3551-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
otrs2 (PTS)jessie, jessie (lts)3.3.18-1+deb8u15fixed
stretch/non-free (security), stretch/non-free (lts), stretch/non-free5.0.16-1+deb9u6vulnerable
buster/non-free (security), buster/non-free6.0.16-2+deb10u1fixed
bullseye/non-free6.0.32-6fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
otrs2sourcewheezy(unfixed)end-of-life
otrs2sourcejessie3.3.18-1+deb8u10DLA-1816-1
otrs2sourcebuster6.0.16-2+deb10u1DLA-3551-1
otrs2source(unstable)6.0.19-1

Notes

[stretch] - otrs2 <ignored> (Non-free not supported)
https://community.otrs.com/security-advisory-2019-09-security-update-for-otrs-framework/
OTRS 6: https://github.com/OTRS/otrs/commit/f8bcf08dfc5f06915c1352c07e5f626f9b5ecfc2
OTRS 5: https://github.com/OTRS/otrs/commit/d4cc3f0e24937fa53870132003aec6af460b9b57

Search for package or bug name: Reporting problems