Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 664326 (CVE-2018-14593) - www-apps/otrs: privilege escalation (CVE-2018-14593)
Summary: www-apps/otrs: privilege escalation (CVE-2018-14593)
Status: RESOLVED FIXED
Alias: CVE-2018-14593
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: https://community.otrs.com/security-a...
Whiteboard: ~1 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2018-08-22 23:12 UTC by GLSAMaker/CVETool Bot
Modified: 2020-07-09 12:48 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2018-08-22 23:12:32 UTC
CVE-2018-14593 (https://nvd.nist.gov/vuln/detail/CVE-2018-14593):
  An issue was discovered in Open Ticket Request System (OTRS) 6.0.x through
  6.0.9, 5.0.x through 5.0.28, and 4.0.x through 4.0.30. An attacker who is
  logged into OTRS as an agent may escalate their privileges by accessing a
  specially crafted URL.
Comment 1 Thomas Deutschmann gentoo-dev Security 2018-08-22 23:14:38 UTC
ID: OSA-2018-03
Date: 2018-07-31
Title: Privilege Escalation
Severity: 7.2 High
Product: OTRS 6.0.x, OTRS 5.0.x, OTRS 4.0.x
Fixed in: OTRS 6.0.10, OTRS 5.0.29, OTRS 4.0.31
FULL CVSS v3 VECTOR: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H­/A:L/E:H/RL:O/RC:C
References: CVE-2018-14593

Vulnerability Description
=========================

This advisory covers vulnerabilities discovered in the OTRS framework.


Privilege Escalation
====================
An attacker who is logged into OTRS as a user may escalate their privileges by accessing a specially crafted URL.


Affected by this vulnerability are all releases of OTRS 6.0.x up to and including 6.0.9, OTRS 5.0.x up to and including 5.0.28, and OTRS 4.0.x up to and including 4.0.30.

This vulnerability is fixed in the latest versions of OTRS, and it is recommended to upgrade to the latest patch level.

Fixed releases can be found at:

    https://www.otrs.com/category/release-and-security-notes-en/

Detailed information about the changes:

OTRS 6:

    https://github.com/OTRS/otrs/commit/57cda14db8fdbcbfb8cabb32d85fbc89fde48c62

OTRS 5

    https://github.com/OTRS/otrs/commit/7b6802723e1f5d1764b617e9fcf0a8dd21e96216

OTRS 4

    https://github.com/OTRS/otrs/commit/78331ea187181d6130189d4563a50b4c30256320

However, to avoid unwanted side effects, we recommend a complete update.

Thanks to Francesco Sirocco for discovering and reporting this issue.
Comment 2 Thomas Deutschmann gentoo-dev Security 2018-08-22 23:15:24 UTC
Privilege escalation within the web-app, not on the running host itself.
Comment 3 Larry the Git Cow gentoo-dev 2020-06-04 19:15:02 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=aa950e734b5caed317ac64dff518b8b33b797ba0

commit aa950e734b5caed317ac64dff518b8b33b797ba0
Author:     Sam James (sam_c) <sam@cmpct.info>
AuthorDate: 2020-06-04 18:25:22 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2020-06-04 19:14:37 +0000

    www-apps/otrs: Last rites
    
    Bug: https://bugs.gentoo.org/692398
    Bug: https://bugs.gentoo.org/664326
    Signed-off-by: Sam James (sam_c) <sam@cmpct.info>
    Closes: https://github.com/gentoo/gentoo/pull/15907
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 profiles/package.mask | 6 ++++++
 1 file changed, 6 insertions(+)
Comment 4 Larry the Git Cow gentoo-dev 2020-07-09 12:43:29 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=934a47e2dfc9eb2ff6a38198622584ef458f028d

commit 934a47e2dfc9eb2ff6a38198622584ef458f028d
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2020-07-09 12:41:39 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-07-09 12:43:17 +0000

    www-apps/otrs: remove last-rited package
    
    www-apps/otrs had a large number of vulnerabilities
    and was unmaintained within Gentoo.
    
    Bug: https://bugs.gentoo.org/692398
    Bug: https://bugs.gentoo.org/664326
    Signed-off-by: Sam James <sam@gentoo.org>

 profiles/base/package.use.stable.mask |   1 -
 profiles/package.mask                 |   6 --
 www-apps/otrs/Manifest                |   5 --
 www-apps/otrs/files/otrs.service      |  13 ---
 www-apps/otrs/metadata.xml            |  11 ---
 www-apps/otrs/otrs-5.0.25.ebuild      | 154 ---------------------------------
 www-apps/otrs/otrs-6.0.3.ebuild       | 156 ---------------------------------
 www-apps/otrs/otrs-6.0.4.ebuild       | 156 ---------------------------------
 www-apps/otrs/otrs-6.0.5.ebuild       | 156 ---------------------------------
 www-apps/otrs/otrs-6.0.7.ebuild       | 157 ----------------------------------
 10 files changed, 815 deletions(-)
Comment 5 Sam James archtester gentoo-dev Security 2020-07-09 12:47:31 UTC
Tree is now clean. Package was ~ so noglsa. Closing.