1157523 – (CVE-2019-18179) VUL-1: CVE-2019-18179: otrs: list tickets assigned to other agents

Bug 1157523 (CVE-2019-18179) - VUL-1: CVE-2019-18179: otrs: list tickets assigned to other agents

Summary: VUL-1: CVE-2019-18179: otrs: list tickets assigned to other agents

Status:	RESOLVED DUPLICATE of bug 1157001

Alias:	CVE-2019-18179

Product:	openSUSE Distribution
Classification:	openSUSE
Component:	Basesystem (show other bugs)
Version:	Leap 42.3
Hardware:	Other Other

Priority:	P4 - Low Severity: Minor (vote)
Target Milestone:	---
Assignee:	Christian Wittmer
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/247713/
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2019-11-22 08:17 UTC by Alexander Bergmann
Modified:	2019-12-28 18:27 UTC (History)
CC List:	0 users

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alexander Bergmann 2019-11-22 08:17:26 UTC

CVE-2019-18179

An attacker who is logged into OTRS as an agent is able to list tickets
assigned to other agents, which are in the queue where attacker doesn’t have
permissions.

Upstream fixes:
https://github.com/OTRS/otrs/commit/fa6bf8ceed157f10791f9e199058db79b924c351 6.x
https://github.com/OTRS/otrs/commit/696db4d90a1b44ce4ed0c8a4ab9d53bfa3c9836e 5.x

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-18179
http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-18179.html

Comment 1 Christian Wittmer 2019-12-28 18:27:06 UTC

duplicate of #1157001

*** This bug has been marked as a duplicate of bug 1157001 ***