Name | CVE-2019-12746 |
Description | An issue was discovered in Open Ticket Request System (OTRS) Community Edition 5.0.x through 5.0.36 and 6.0.x through 6.0.19. A user logged into OTRS as an agent might unknowingly disclose their session ID by sharing the link of an embedded ticket article with third parties. This identifier can be then be potentially abused in order to impersonate the agent user. |
Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
References | DLA-1877-1, DLA-3551-1 |
Vulnerable and fixed packages
The table below lists information on source packages.
Source Package | Release | Version | Status |
---|
otrs2 (PTS) | jessie, jessie (lts) | 3.3.18-1+deb8u15 | fixed |
| stretch/non-free (security), stretch/non-free (lts), stretch/non-free | 5.0.16-1+deb9u6 | vulnerable |
| buster/non-free (security), buster/non-free | 6.0.16-2+deb10u1 | fixed |
| bullseye/non-free | 6.0.32-6 | fixed |
The information below is based on the following data on fixed versions.
Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
---|
otrs2 | source | wheezy | (unfixed) | end-of-life | | |
otrs2 | source | jessie | 3.3.18-1+deb8u11 | | DLA-1877-1 | |
otrs2 | source | buster | 6.0.16-2+deb10u1 | | DLA-3551-1 | |
otrs2 | source | (unstable) | 6.0.20-1 | | | |
Notes
[stretch] - otrs2 <ignored> (Non-free not supported)
https://community.otrs.com/security-advisory-2019-10-security-update-for-otrs-framework/
OTRS 6: https://github.com/OTRS/otrs/commit/fab16a8e54aaf033f460e5f98c673248f29ea49c
OTRS 6: https://github.com/OTRS/otrs/commit/cc08cb7df9f6dde05de2f8c6cbd59cd5d0952627
OTRS 5: https://github.com/OTRS/otrs/commit/7ab33e51a4db9f712e979040f644d0d0c39ff0af