CVE-2019-18179
Published: 6 January 2020
An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.12, and Community Edition 5.0.x through 5.0.38 and 6.0.x through 6.0.23. An attacker who is logged into OTRS as an agent is able to list tickets assigned to other agents, even tickets in a queue where the attacker doesn't have permissions.
Priority
Status
| Package | Release | Status |
|---|---|---|
|
otrs2 Launchpad, Ubuntu, Debian |
bionic |
Needed
|
| disco |
Ignored
(end of life)
|
|
| eoan |
Ignored
(end of life)
|
|
| focal |
Not vulnerable
(6.0.24-1)
|
|
| groovy |
Not vulnerable
(6.0.24-1)
|
|
| hirsute |
Not vulnerable
(6.0.24-1)
|
|
| impish |
Not vulnerable
(6.0.24-1)
|
|
| jammy |
Not vulnerable
(6.0.24-1)
|
|
| kinetic |
Does not exist
|
|
| lunar |
Does not exist
|
|
| mantic |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Needs triage
|
|
| xenial |
Needed
|
|
|
Patches: upstream: https://github.com/OTRS/otrs/commit/fa6bf8ceed157f10791f9e199058db79b924c351 upstream: https://github.com/OTRS/otrs/commit/696db4d90a1b44ce4ed0c8a4ab9d53bfa3c9836e |
||
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 4.3 |
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | Low |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | Low |
| Integrity impact | None |
| Availability impact | None |
| Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |