CVE-2019-18179

NameCVE-2019-18179
DescriptionAn issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.12, and Community Edition 5.0.x through 5.0.38 and 6.0.x through 6.0.23. An attacker who is logged into OTRS as an agent is able to list tickets assigned to other agents, even tickets in a queue where the attacker doesn't have permissions.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-2053-1, DLA-3551-1
Debian Bugs945251

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
otrs2 (PTS)jessie, jessie (lts)3.3.18-1+deb8u15fixed
stretch/non-free (security), stretch/non-free (lts), stretch/non-free5.0.16-1+deb9u6vulnerable
buster/non-free (security), buster/non-free6.0.16-2+deb10u1fixed
bullseye/non-free6.0.32-6fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
otrs2sourcewheezy(unfixed)end-of-life
otrs2sourcejessie3.3.18-1+deb8u12DLA-2053-1
otrs2sourcebuster6.0.16-2+deb10u1DLA-3551-1
otrs2source(unstable)6.0.24-1945251

Notes

[stretch] - otrs2 <ignored> (Non-free not supported)
https://community.otrs.com/security-advisory-2019-14-security-update-for-otrs-framework/
OTRS 6.0: https://github.com/OTRS/otrs/commit/fa6bf8ceed157f10791f9e199058db79b924c351
OTRS 6.0: https://github.com/OTRS/otrs/commit/d873fde85260e50f7e7a9f47c691b1cafd237119
OTRS 6.0: https://github.com/OTRS/otrs/commit/0ec21884a2a1573987bf77631dc5a54d951280b7
OTRS 5.0: https://github.com/OTRS/otrs/commit/696db4d90a1b44ce4ed0c8a4ab9d53bfa3c9836e

Search for package or bug name: Reporting problems