CVE-2020-1776

NameCVE-2020-1776
DescriptionWhen an agent user is renamed or set to invalid the session belonging to the user is keept active. The session can not be used to access ticket data in the case the agent is invalid. This issue affects ((OTRS)) Community Edition: 6.0.28 and prior versions. OTRS: 7.0.18 and prior versions, 8.0.4. and prior versions.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3551-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
otrs2 (PTS)jessie, jessie (lts)3.3.18-1+deb8u15vulnerable
stretch/non-free (security), stretch/non-free (lts), stretch/non-free5.0.16-1+deb9u6vulnerable
buster/non-free (security), buster/non-free6.0.16-2+deb10u1fixed
bullseye/non-free6.0.32-6fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
otrs2sourcejessie(unfixed)end-of-life
otrs2sourcebuster6.0.16-2+deb10u1DLA-3551-1
otrs2source(unstable)6.0.29-1

Notes

[stretch] - otrs2 <ignored> (Non-free not supported)
https://otrs.com/release-notes/otrs-security-advisory-2020-13/
Fixed in 7.0.18, 6.0.29
OTRS6: https://github.com/OTRS/otrs/commit/4514f95f747be368c3dc9a9452ff9aa66506648d

Search for package or bug name: Reporting problems