Name | CVE-2019-18179 |
Description | An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.12, and Community Edition 5.0.x through 5.0.38 and 6.0.x through 6.0.23. An attacker who is logged into OTRS as an agent is able to list tickets assigned to other agents, even tickets in a queue where the attacker doesn't have permissions. |
Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
References | DLA-2053-1, DLA-3551-1 |
Debian Bugs | 945251 |
The table below lists information on source packages.
Source Package | Release | Version | Status |
---|---|---|---|
otrs2 (PTS) | jessie, jessie (lts) | 3.3.18-1+deb8u15 | fixed |
stretch/non-free (security), stretch/non-free (lts), stretch/non-free | 5.0.16-1+deb9u6 | vulnerable | |
buster/non-free (security), buster/non-free | 6.0.16-2+deb10u1 | fixed | |
bullseye/non-free | 6.0.32-6 | fixed |
The information below is based on the following data on fixed versions.
Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
---|---|---|---|---|---|---|
otrs2 | source | jessie | 3.3.18-1+deb8u12 | DLA-2053-1 | ||
otrs2 | source | buster | 6.0.16-2+deb10u1 | DLA-3551-1 | ||
otrs2 | source | (unstable) | 6.0.24-1 | 945251 |
[stretch] - otrs2 <ignored> (Non-free not supported)
https://community.otrs.com/security-advisory-2019-14-security-update-for-otrs-framework/
OTRS 6.0: https://github.com/OTRS/otrs/commit/fa6bf8ceed157f10791f9e199058db79b924c351
OTRS 6.0: https://github.com/OTRS/otrs/commit/d873fde85260e50f7e7a9f47c691b1cafd237119
OTRS 6.0: https://github.com/OTRS/otrs/commit/0ec21884a2a1573987bf77631dc5a54d951280b7
OTRS 5.0: https://github.com/OTRS/otrs/commit/696db4d90a1b44ce4ed0c8a4ab9d53bfa3c9836e