Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 664326 (CVE-2018-14593) - www-apps/otrs: privilege escalation (CVE-2018-14593)
Summary: www-apps/otrs: privilege escalation (CVE-2018-14593)
Alias: CVE-2018-14593
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
Whiteboard: ~1 [noglsa cve]
Depends on:
Reported: 2018-08-22 23:12 UTC by GLSAMaker/CVETool Bot
Modified: 2020-07-09 12:48 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2018-08-22 23:12:32 UTC
CVE-2018-14593 (
  An issue was discovered in Open Ticket Request System (OTRS) 6.0.x through
  6.0.9, 5.0.x through 5.0.28, and 4.0.x through 4.0.30. An attacker who is
  logged into OTRS as an agent may escalate their privileges by accessing a
  specially crafted URL.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2018-08-22 23:14:38 UTC
ID: OSA-2018-03
Date: 2018-07-31
Title: Privilege Escalation
Severity: 7.2 High
Product: OTRS 6.0.x, OTRS 5.0.x, OTRS 4.0.x
Fixed in: OTRS 6.0.10, OTRS 5.0.29, OTRS 4.0.31
References: CVE-2018-14593

Vulnerability Description

This advisory covers vulnerabilities discovered in the OTRS framework.

Privilege Escalation
An attacker who is logged into OTRS as a user may escalate their privileges by accessing a specially crafted URL.

Affected by this vulnerability are all releases of OTRS 6.0.x up to and including 6.0.9, OTRS 5.0.x up to and including 5.0.28, and OTRS 4.0.x up to and including 4.0.30.

This vulnerability is fixed in the latest versions of OTRS, and it is recommended to upgrade to the latest patch level.

Fixed releases can be found at:

Detailed information about the changes:




However, to avoid unwanted side effects, we recommend a complete update.

Thanks to Francesco Sirocco for discovering and reporting this issue.
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2018-08-22 23:15:24 UTC
Privilege escalation within the web-app, not on the running host itself.
Comment 3 Larry the Git Cow gentoo-dev 2020-06-04 19:15:02 UTC
The bug has been referenced in the following commit(s):

commit aa950e734b5caed317ac64dff518b8b33b797ba0
Author:     Sam James (sam_c) <>
AuthorDate: 2020-06-04 18:25:22 +0000
Commit:     Thomas Deutschmann <>
CommitDate: 2020-06-04 19:14:37 +0000

    www-apps/otrs: Last rites
    Signed-off-by: Sam James (sam_c) <>
    Signed-off-by: Thomas Deutschmann <>

 profiles/package.mask | 6 ++++++
 1 file changed, 6 insertions(+)
Comment 4 Larry the Git Cow gentoo-dev 2020-07-09 12:43:29 UTC
The bug has been referenced in the following commit(s):

commit 934a47e2dfc9eb2ff6a38198622584ef458f028d
Author:     Sam James <>
AuthorDate: 2020-07-09 12:41:39 +0000
Commit:     Sam James <>
CommitDate: 2020-07-09 12:43:17 +0000

    www-apps/otrs: remove last-rited package
    www-apps/otrs had a large number of vulnerabilities
    and was unmaintained within Gentoo.
    Signed-off-by: Sam James <>

 profiles/base/package.use.stable.mask |   1 -
 profiles/package.mask                 |   6 --
 www-apps/otrs/Manifest                |   5 --
 www-apps/otrs/files/otrs.service      |  13 ---
 www-apps/otrs/metadata.xml            |  11 ---
 www-apps/otrs/otrs-5.0.25.ebuild      | 154 ---------------------------------
 www-apps/otrs/otrs-6.0.3.ebuild       | 156 ---------------------------------
 www-apps/otrs/otrs-6.0.4.ebuild       | 156 ---------------------------------
 www-apps/otrs/otrs-6.0.5.ebuild       | 156 ---------------------------------
 www-apps/otrs/otrs-6.0.7.ebuild       | 157 ----------------------------------
 10 files changed, 815 deletions(-)
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-09 12:47:31 UTC
Tree is now clean. Package was ~ so noglsa. Closing.