| Summary: | <www-apps/otrs-4.0.12: Incomplete Access Control (CVE-2014-9324)8 | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | trivial | CC: | lists, patrick, web-apps |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://www.otrs.com/security-advisory-2014-06-incomplete-access-control/ | ||
| Whiteboard: | ~4 [noglsa] | ||
| Package list: | Runtime testing required: | --- | |
CVE-2014-9324 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9324): The GenericInterface in OTRS Help Desk 3.2.x before 3.2.17, 3.3.x before 3.3.11, and 4.0.x before 4.0.3 allows remote authenticated users to access and modify arbitrary tickets via unspecified vectors. Author: Ian Delaney <idella4@gentoo.org> Date: Thu Oct 1 12:55:13 2015 +0800 www-apps/otrs: Designate new maintainer in metadata, bump to -4.0.12 New maintainer added & supported under the proxy-maintainers herd, testing and revision carried out thanks also to wraeth, fix to broken .png file applied according to past bug #466190 supplied by Blackb|rd, all patches and revisons of ebuilds supplied via bug cited below, releases after -3.2.12 skipped, holding off from beta versions of version 5.x for now, removed old versions prior to -3.2.12. Finally closes the gentoo bug. commit 8719c0549974cef1a8f1d7b3362f1be35678b478 Author: Ian Delaney <idella4@gentoo.org> Date: Mon Oct 5 16:04:44 2015 +0800 www-apps/otrs clean old version wrt bug #532912 |
From ${URL} : Security Advisory Details ID: OSA-2014-06 Date: 2014-12-16 Title: Incomplete Access Control Severity: low (Overall CVSS Score : 2.7) Product: OTRS 3.2.x, 3.3.x, 4.0.x Fixed in: OTRS 3.2.17, 3.3.11, 4.0.3 URL: [TBD] FULL CVSS v2 VECTOR: (AV:N/AC:M/AU:S/C:P/I:N/A:N/E:POC/RL:OF/RC:C/CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND) References: CVE-2014-9324 @maintainer(s): since the package or the affected version has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.