Summary: | www-apps/otrs: privilege escalation (CVE-2018-14593) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | GLSAMaker/CVETool Bot <glsamaker> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | trivial | CC: | web-apps |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://community.otrs.com/security-advisory-2018-03-security-update-for-otrs-framework/ | ||
See Also: | https://bugs.gentoo.org/show_bug.cgi?id=692398 | ||
Whiteboard: | ~1 [noglsa cve] | ||
Package list: | Runtime testing required: | --- |
Description
GLSAMaker/CVETool Bot
2018-08-22 23:12:32 UTC
ID: OSA-2018-03 Date: 2018-07-31 Title: Privilege Escalation Severity: 7.2 High Product: OTRS 6.0.x, OTRS 5.0.x, OTRS 4.0.x Fixed in: OTRS 6.0.10, OTRS 5.0.29, OTRS 4.0.31 FULL CVSS v3 VECTOR: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:HÂ/A:L/E:H/RL:O/RC:C References: CVE-2018-14593 Vulnerability Description ========================= This advisory covers vulnerabilities discovered in the OTRS framework. Privilege Escalation ==================== An attacker who is logged into OTRS as a user may escalate their privileges by accessing a specially crafted URL. Affected by this vulnerability are all releases of OTRS 6.0.x up to and including 6.0.9, OTRS 5.0.x up to and including 5.0.28, and OTRS 4.0.x up to and including 4.0.30. This vulnerability is fixed in the latest versions of OTRS, and it is recommended to upgrade to the latest patch level. Fixed releases can be found at: https://www.otrs.com/category/release-and-security-notes-en/ Detailed information about the changes: OTRS 6: https://github.com/OTRS/otrs/commit/57cda14db8fdbcbfb8cabb32d85fbc89fde48c62 OTRS 5 https://github.com/OTRS/otrs/commit/7b6802723e1f5d1764b617e9fcf0a8dd21e96216 OTRS 4 https://github.com/OTRS/otrs/commit/78331ea187181d6130189d4563a50b4c30256320 However, to avoid unwanted side effects, we recommend a complete update. Thanks to Francesco Sirocco for discovering and reporting this issue. Privilege escalation within the web-app, not on the running host itself. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=aa950e734b5caed317ac64dff518b8b33b797ba0 commit aa950e734b5caed317ac64dff518b8b33b797ba0 Author: Sam James (sam_c) <sam@cmpct.info> AuthorDate: 2020-06-04 18:25:22 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2020-06-04 19:14:37 +0000 www-apps/otrs: Last rites Bug: https://bugs.gentoo.org/692398 Bug: https://bugs.gentoo.org/664326 Signed-off-by: Sam James (sam_c) <sam@cmpct.info> Closes: https://github.com/gentoo/gentoo/pull/15907 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> profiles/package.mask | 6 ++++++ 1 file changed, 6 insertions(+) The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=934a47e2dfc9eb2ff6a38198622584ef458f028d commit 934a47e2dfc9eb2ff6a38198622584ef458f028d Author: Sam James <sam@gentoo.org> AuthorDate: 2020-07-09 12:41:39 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2020-07-09 12:43:17 +0000 www-apps/otrs: remove last-rited package www-apps/otrs had a large number of vulnerabilities and was unmaintained within Gentoo. Bug: https://bugs.gentoo.org/692398 Bug: https://bugs.gentoo.org/664326 Signed-off-by: Sam James <sam@gentoo.org> profiles/base/package.use.stable.mask | 1 - profiles/package.mask | 6 -- www-apps/otrs/Manifest | 5 -- www-apps/otrs/files/otrs.service | 13 --- www-apps/otrs/metadata.xml | 11 --- www-apps/otrs/otrs-5.0.25.ebuild | 154 --------------------------------- www-apps/otrs/otrs-6.0.3.ebuild | 156 --------------------------------- www-apps/otrs/otrs-6.0.4.ebuild | 156 --------------------------------- www-apps/otrs/otrs-6.0.5.ebuild | 156 --------------------------------- www-apps/otrs/otrs-6.0.7.ebuild | 157 ---------------------------------- 10 files changed, 815 deletions(-) Tree is now clean. Package was ~ so noglsa. Closing. |